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Abstract. The paper presents probabilistic extensions of interval temporal logic (ITL) 
and duration calculus (DC) with infinite intervals and complete Hilbert-style proof sys- 
tems for them. The completeness results are a strong completeness theorem for the system 
of probabilistic ITL with respect to an abstract semantics and a relative completeness the- 
orem for the system of probabilistic DC with respect to real-time semantics. The proposed 
systems subsume probabilistic real-time DC as known from the literature. A correspon- 
dence between the proposed systems and a system of probabilistic interval temporal logic 
with finite intervals and expanding modalities is established too. 



Introduction 

The duration calculus (DC) was introduced by Zhou, Hoare and Ravn in [ZHR91] as 
a logic to specify requirements on real-time systems. DC is a classical predicate interval- 
based linear-time logic with one normal binary modality known as chop. DC was originally 
developed for real time by augmenting the real-time variant of interval temporal logic {ITL, 
|Mos85t [Mos86j ) with boolean expressions for state and real- valued terms to denote state 
durations. DC has been used successfully in many case studies such as [ZZ94t IDW96t 
ISX981 IDan981[LH99] . We refer the reader to |HZ97j or the recent monograph |ZH04j for a 
comprehensive introduction to DC. 

Temporal logics such as linear temporal logic (LTL), computation tree logic {CTL) and 
their timed versions are used mostly as requirements languages for model-checkers such as 
SMY |McM] and UPPAAL [UPP] which accept descriptions of systems in dedicated input 
languages. The probabilistic variant of CTL |ASB95] has a similar role in the probabilistic 
model checker PRISM |KNPnillPRl] . The systems in use are typically propositional, which 
restricts the variety of properties that can be expressed. This is only in part compensated 
for by the possibility to do fully algorithmic verification. More complex properties and 
systems which, e.g., involve unspecified numbers of concurrent processes or unbounded 
amounts of data have to be viewed as parameterized families and require the development 
of dedicated techniques. Alternatively, model-checkers are used on instances of the systems 
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with artificial bounds on their size, which, however, quickly leads to the notorious state 
space explosion problem. The use of the logics as reasoning tools and not just as notations 
is also limited to optimising simplifications such as abstractions. Unlike these systems of 
logic, the expressive power of DC is geared towards the possibility to capture the semantics 
of the systems to be verified and therefore it is used as a system description language as well. 
Examples include the DC semantics of the timed specification language RAISE proposed 
in [LH99] and the DC semantics of the Verilog hardware specification language |IEE95j 
proposed in |SX98j . This shifts the interest from the satisfaction of DC formulas by given 
models towards validity in DC. 

The needs of applications have brought to life a number of extensions and variants of 
DC. These include state quantifiers and the least fixed point operator |Pan95j . alternative 
sets of interval modalities [Pan96[ IZH981 J3RZ00, He 99bJ, enhancements of the semantics 
to combine real and discrete time |PD981 IHe 99a\ IGue04aj and infinite intervals |ZDL95[ 
IPWX981 ISX981 rWX04] . The extension of 1?C by a probability operator replaces the linear 
model of time of DC by a model based on sets of behaviours with probability on them. 
Despite the absence of an explicit branching-time modality, the probabilistic DC (PDC) is 
essentially a branching-time predicate interval-based temporal logic. 

DC and, consequently, its extensions are not recursively axiomatisable. The worst 
case complexity of decision procedures for validity is high even for very restricted subsets 
of DC such as the so-called propositional DC |ZHS931 IRab98j . No interesting quantified 
decidable subsets of DC seem to be known (The state quantifier in the [P] -subset of DC 
studied in [ZHS93 ] is expressible in that subset and does not increase its ultimate expres- 
sive power.) The propositional abstract-time and real-time ITLs with chop are undecidable 
too. Undecidability is typical of interval-based systems as shown in the early works [HS86] 
and (Ven91at IVen91b| where the chop modality was studied as an example of an operator 
in many-dimensional modal logic. A very simple subset of DC which exhibits its incom- 
pleteness was identified in [Gue04cj . This is compensated by the convenience of achieving 
composionality in specification and particularly the specification of sequential composition, 
which is deemed to be difficult to handle in systems without the chop modality [MQ99j . 
Tool support for ITL and DC has been developed on the basis of PVS |PVSj by combin- 
ing ITL- and Z)C-specific proof and proof through translation into the higher-order logic 
input language of PVS [ SS941 IHu 991 IRas02j . There is also a model- and validity-checker 
DCVALID pPanJ, which accepts the discrete time [P] -subset of DC {QDDC) and a com- 
bination of QDDC with CTL* [ PanOlj and uses MONA [Moii] as a back-end tool. The 
expressive power of these subsets of DC is that of weak monadic second order logic with 
one successor (I^^^IS*). DCVALID has been successful in interesting case studies such as 
that from [Pan02j . However, the finite-state-based algorithms of MONA impose on it the 
same ultimate limitations as in other model-checking tools. That is why proof systems are 
a relatively important instrument for verification by DC and its extensions. 

DC was originally introduced for real time, whereas PDC was first introduced in 
|LRSZ93] for discrete time. A system of real-time PDC was introduced later in [DZ99] 
where some axioms were proposed too. However, these axioms do not form a complete 
proof system. Calculation with direct reference to the semantics was used to reason about 
properties expressed in PDC in both works. More case studies in PDC were given in 
|Jos95| and recently in |ZH04j . which contains a chapter on discrete time PDC . The deduc- 
tive power of the proof system for discrete time PDC used in |ZH04] has not been studied 
either. 
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A first attempt to develop a complete proof system for PDC was made in |Gue98] . 
where a system of probabilistic ITL was proposed with the -DC-specific state expressions 
with finite variability withdrawn. However, the semantics of that logic had some non- 
standard elements for technical reasons, and the proof system was a mixture of ITL and 
elements from Neighbourhood Logic {NL, [ZH981 IRZ971 |BRZ00| ). Some of these problems 
were eliminated in |Tri99j . A more streamlined system of probabilistic NL and a complete 
proof system with respect to its abstract-time semantics was proposed later in jGueOOj . The 
use of a (commutative) linearly-ordered group as the model of time in that system after 
Dutertre's work on abstract-time ITL |Dut95a| allowed a finitary complete proof system 
to be obtained. However, PNL still had some loose ends; the questions of the precise 
correspondence between PNL and the original systems of PDC from |LRSZ93l IDZ99j and 
of the deductive power of the proof system with respect to real-time models remained 
open. Systems of (non-probabilistic) branching time NL were developed in the recent works 
|BMS0 7] and [BM05j . Some of these systems can be viewed as the underlying branching 
time logics of PNL. The works [BMS07j and |BM05| present the propositional variants of 
these branching time interval temporal logics and focus on decision procedures for them. 

In this paper we first propose another system of probabilistic ITL. Unlike that from 
|Gue98j . this system is based on infinite intervals. We propose a proof system for probabilis- 
tic ITL with infinite intervals which is complete with respect to the abstract-time semantics 
based on that for ITL with infinite intervals from [WX04j . The use of infinite intervals 
removes the need to admix NL modalities in proofs, which was done in [Gue98] . Then we 
develop a system of probabilistic DC (PDC) as an extension of the proposed probabilistic 
ITL and demonstrate that adding the DC axioms and rules known from |HZ92] to our proof 
system for this probabilistic ITL leads to a proof system for PDC with is complete with 
respect to real-time models relative to validity at the real-time-based frame in probabilistic 
ITL with infinite intervals. The incompleteness of DC implies that relative completeness 
like that from |HZ92j for basic DC is the best we can have with a finitary proof system. 
Finally, we describe satisfaction-preserving translations between A^L-based PDC and the 
system of PDC with infinite intervals that we propose. 

Our system of PDC has some slight enhancements in comparison with the original 
probabilistic DC from |LRSZ93l IDZ99| . They both improve its expressivity and facilitate 
the design of the proof system. The first enhancement is a simplification. We remove the 
extra reference time point needed to define the probability operator. The role of this time 
point is naturally transferred to the flexible constant i which expresses interval lengths in 
DC. This extends the possibilities for meaningful nesting of occurrences of the probability 
operator and allows the expression of probabilities of properties which are probabilistic 
themselves. The second enhancement is the use of infinite intervals. It is a consequence of 
our developing of PDC as an extension of an infinite- interval-based system of probabilistic 
ITL. As mentioned above, this makes it possible to avoid the use of an expanding modality 
such as those of NL, which was made in [GueOOj . The combination of the chop modality 
and infinite intervals has the expressive power of expanding modalities with the advantage 
of keeping the introspectivity of chop, which is a technically useful property. We discuss the 
trade-offs between NL and ITL in Section [9l The last enhancement is the replacement of the 
probabilistic timed automata which were used in [DZ99] to define sets of behaviours and 
the respective probability functions for PDC models by arbitrary systems of probability 
functions, which can be constrained by additional axioms in PDC theories. One such 
constraint that we study in detail is the requirement on all the probability functions in a 
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model to be consistent with a global probability function which is defined on the space of all 
the behaviours of the modelled system. Models which describe the behaviour of automata 
like those involved in the definition of the original system of real-time DC from |DZ99 ] can 
be described by PDC theories in this more general setting too. 

Structure of the paper. After the necessary preliminaries on ITL with infinite intervals and 
DC we introduce our system of probabilistic ITL with infinite intervals and a proof system 
for it. We prove the completeness of this proof system with respect to the abstract semantics 
of probabilistic ITL, which is the main result of the paper. Then we propose axioms which 
constrain the system of probability functions in models of PITL to be consistent with a 
global probability function to the extent that this constraint can be formulated in the setting 
of abstract probabilies. In the rest of the paper we introduce a system of probabilistic DC 
as an extension of the new system of probabilistic ITL by state expressions and duration 
terms for them based on the real-time frame of probabilistic ITL. We show how this 
system of PDC subsumes the system proposed in |DZ99j. The main result about PDC 
is the completeness of the well-known axioms oi DC from ^Z92] relative to validity in 
real-time and -probability-based models for probabilistic ITL. Before concluding the paper 
we explain the correspondence between PNL from [ GueOO| and the infinite-interval based 
PITL proposed in this paper. We conclude by explaining some of the limitations of the 
scope of its main results. 

1. Preliminaries 

In this section we give preliminaries on ITL and DC with infinite intervals as known 
from IZDL95', IPWX981 15X9^ IWX04j and the probability operator of PDC as introduced 
in plSZ93..DZ99] . 

1.1. Interval temporal logic with infinite intervals. Here follows a brief formal in- 
troduction to ITL with infinite intervals as presented in [WX04| . which extends the finite 
interval abstract-time system of ITL proposed and studied in |Dut95a| . 

1.1.1. Language. An ITL vocabulary consists of constant symbols c,d,..., individual vari- 
ables x,y,z, . . function symbols f,g,... and relation symbols R, . . .. Constant, function 
and relation symbols can be either rigid or flexible. Below it becomes clear that rigid 
symbols have the same meaning at all times, whereas the meaning of fiexible symbols can 
depend on the reference time interval. The rigid constants and oo, addition -|-, equality 
=, the flexible constant i, which always evaluates to the length of the reference interval, 
and a countably inflnite set of individual variables are mandatory in every ITL vocabulary. 
We denote the arity of function and relation symbols s by #s. 

Given a vocabulary, the deflnition of an ITL language is essentially that of its sets of 
terms t and formulas (p, which can be defined by the following BNFs: 
t ::= c\x\ f{t,...,t) 

if ::= _L I . . . ,t) \ {if ^ if) \ {if; if) \ 3xLp 
Many authors use the alternative notation ip'~'ilj for formulas {(p; ip) which are built with the 
chop modality. 
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Terms and formulas with no occurrences of flexible symbols are called rigid. Other 
terms and formulas are called flexible. The set of the variables which have free occurrences 
in a formula (p is denoted by FV{ip). 

1.1.2. Models and satisfaction. A finite interval ITL frame consists of a linearly ordered 
set (T, <) called the time domain, a monoid {D, 0, +) called the duration domain and a 
function m : I(r) — > D called the measure function, where 

I(r) = {[ti,T2] ■■ Ti,T2 eT.Ti < T2} 

is the set of the closed and bounded intervals in T. The monoid [D, 0, +) is required to 
satisfy some additional axioms. The full list of axioms is: 
{Dl) x+{y + z) = {x + y)+z 

{D2) ,T + = + x = x 

(Z?3) x + y = x + z^y = z, x + z = y + z^x = y 
{D4) x + y = 0^x = y = 

(D5) 3z{x + z = y \J y + z = x), 3z{z + x = y\Iz + y = x) 
The measure function m is required to satisfy the axioms: 

(Ml) m([ri, rs]) = m([ri, r^]) ^ T2 = 

(M2) m([ri,T]) +m([r,r2]) =m([ri,r2]) 

(M3) m([Ti,T2]) =x + y^3T(m([ri,r]) = x) 
In the case of ITL with infinite intervals the time domain (T, <) is supposed to have 
a distinguished greatest element 00 and m is defined on the set i(r) = I^"(T) U V''f{T), 
where 

l/^"(r) = {[ri,r2] : ti,T2 eT,Ti<T2< 00} and F"-^ (T) = {[r, 00] : r G T, r < 00}. 

The duration domain is augmented with a greatest element 00 too. The axiom D3 is 
weakened to 

{D3') x + y = x + z=>x = oo\/y = z, x + z = y + z^z = oo\/x = y 
and the following axioms about durations and the measure functions are added: 
(D6) x + y = (X)-^x = (X)\Jy = oo 
(M4) ra{[Ti,T2]) = oc iff r2 = 00 

Given cii, (T2 € I(r) such that maxai = min(T2, we denote ai U a2 by ci; (T2. 
A function I on an ITL vocabulary L is an interpretation of L into a frame 
F = ((T, <, 00), {D, +, 0, 00), m) if it satisfies the conditions: 

I{c),I{x) G D for rigid constants c and individual variables x; 
I{f ) G [D't^f — > D) for rigid function symbols /; 
I{R) G (Z)*^ {0, 1}) for rigid relation symbols R; 

I{c) G (i(T) ^ D), I{f) G (i(r) X D*i ^ L>), /(i?) G (i(T) X L>#« ^ {0,1}) for 
fiexible c, / and R\ 

7(0) = 0, /(do) = 00, /(+) = +, /(=) is = and I{1) = m. 

An infinite-interval model for an ITL vocabulary L is a pair of the form {F, I) such 
that F is a frame and I is an interpretation of L into F. 

Definition 1.1. Given a model {F,I), the values Ia{t) of terms t at intervals a G i(T) is 
defined by the clauses: 
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Ia{x) = I{x) for individual variables x 

Ia{c) = I{c) for rigid constants c 

laifih, • • • , t#f)) = I{f){Ia{ti), Ia{t#f)) for rigid function symbols / 

/o-(c) = /(c) (a) for flexible c 

/,(/(*!, . . .,*#/)) = /(/)(a,7,(ii), . . .,Ia{t#f)) for flexible / 



In particular, /ct(^) = m{a), which means that the function on I which is the meaning 
of the flexible constant £ always evaluates to the length of the reference interval a. 

Definition 1.2. Let / be an interpretation of some ITL vocabulary L into a frame F whose 
duration domain is {D, +, 0, oo). Let x be an individual variable in L and d E D. Then the 
interpretation J of L into F which is defined by the equalities 

J{x) = d and J{s) = I{s) for s G L \ {x} 

is denoted by and is called a x-variant of I. We abbreviate (. . . {Ix\)'^2 ■ ■ Ox^ by lt\','.'.'.'^Z 
and call it an xi, . . . ,x^-variant of I. An xi, . . . ,Xn-variant of I for some finite list of 
variables xi, . . . , x„ is called just variant. 

The modelling relation \= on models based on some frame F, intervals a and formulas in 
the vocabulary L is defined by the clauses: 

(F,7),(7 \= R{h, ...,tn) iff I{R){Ia{ti), . . .,Ia{tn)) = 1 for rigid R 

{F,I),a^R{ti,...,tn) iS I{R){cJ,I„{ti),...,I^{tn)) = 1 for flexible i? 
{F, /), a ^ ((^ ^ V) iff either {F, I),a^^ or (F, I),a^tp 
(F,/),ah(<^;V) iff 

(F,/),(Ti \=ipand (F,/),(72 H V'^ 

for some ai € I-^"(Tp) and 1T2 G I(Ff) such that (Ji ; (72 = cr 
{F, I), a \= 3xip iff {F, I^),a ^ (p for some deD 

1.1.3. Abbreviations and precedence of operators. The binary relation symbol < is defined 
in ITL by the equivalence 

X < y <^ 3z{x + z = y). (1-1) 
The customary infix notation for +, < and = is used in ITL. T, A, =^ and 4^, V, >, < 
and > are used in the usual way. We denote the universal closure Vxi . . . Vx„(^ of a formula 
(p where {.Ti, . . . , Xn} = FV{ip) by Vp. 

Since (.; .) is associative, we omit parentheses in formulas with consecutive occurrences 
of (.;.). Here follow the infinite-interval versions of some ITL abbreviations: 

Oif ^ (T; ip; T) V (T; p) , Op - -^O^p . 
Note that □ and O abbreviate different constructs in the original discrete-time system of 
ITL of Moszkowski. Our usage originates from the literature on DC. The disjunctive 
member (T; (p) in the definition of O is relevant only at infinite intervals. The formula 
(T; p; T) without it restricts the subintcrval which satisfies p to be finite. 

We assume that O and □ bind more tightly and (.; .) binds less tightly than the boolean 
connectives. 
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1.1.4. Proof system. A complete proof system for abstract-time ITL with finite intervals 
is given in [Dut95aj . The following axioms and rules have been shown to form a complete 
proof system for ITL with infinite intervals when added to a Hilbert-style proof system for 
classical first-order predicate logic and the axioms Dl, D2, D3', DA^DQ about durations in 
[WX04j : 

(.41) (v?; ^) A ^(x; ^x; V-), iv; ^) a -(v?; x) ^ (v?; V' a -x) 

(^2) ((^;7/.);x)^(v';(^/';x)) 

{R) {if] i/j) if, (V^; cp) => if (p is rigid 

(B) (^xip; tp) ^x{(p; V"), (V'; ^xip) =^ 3x{ip; </?) if a; Fy(V') 

(LI) {£ = x;ip) ^ -i(£ = x; -■(/?), {(p;£ = x A x ^ oo) ^ "'("'¥'; ^ = a;) 

(L2) ^ = x + yAx/oo-<4>(^ = x;^ = y) 

(L3) (£ = 0;(^), v3A^/oo^ (99;^ = 0) 

(SI) (^ = xA99;V') ^-(^ = 2:A-V?;X) 

(PI) -(^ = oo;v9) 

(P2) ((^; ^ = oo) ^ ^ = CX) 

(P3) ((^; ^ / oo) ^ ^ / CX) 



(Mono) 



ip <p 



(f ^ Ip ip ^ Tp 



{f;x) (V';x) ' ix;^) =^ (x;V') 

The presence of the modality (.; .) and flexible symbols in ITL brings a restriction on the 
use of first order logic axioms which involve substitution such as 

{3r) [t/x]ip =^ 3xip. 

The application of this axiom is correct only if no variable in t becomes bound due to the 
substitution, and either t is rigid or (.; .) does not occur in ip, because the value of a flexible 
term could be different at the different intervals which are involved in evaluating formulas 
with (.; .). 

The correctness of the proof system can be established by a direct check. Here follow 
some comments and informal reading of the axioms and the proof rules which can be 
helpful for their understanding too. Al states that if chopping into a 99-subinterval and a 
t/'-subinterval is possible, but chopping into a x-subinterval and a ^/^-subinterval is not, then 
any chopping into a cp- and a ^-subinterval would lead to a 99-subinterval which additionally 
satisfies the negation of x- In the presence of the rules Mono and propositional tautologies 
one can choose between Al and the axiom 

(a;V)V(/3;V')^(aV/?;V), 

which can be described as distributivity of (.; .) over V. Axiom B can be viewed as an 
parametric analogon of this distributivity axiom, with 32; to be read as parametric (possibly 
infinitary) disjunction. A2 is just the associativity of (.; .). R states that the satisfaction of 
rigid formulas does not depend on the reference interval. LI and 5*1 express that if, upon 
dividing an interval, the duration of one of the subintervals is fixed, then the properties of 
both subintervals are completely determined. This is so because the subintervals themselves 
are uniquely determined. L2 is the additivity of length. P2 and P3 give separate treatment 
to some special cases of additivity that arise from the presence of infinitely long intervals. 
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L3 states that intervals of length can be assumed at either end of any interval. P3 rules 
out the interval [oo;oo]. The rules state that valid formulas are valid in subintervals 
too. These rules are the standard form of the modal logic rule Lp/^Lp, yet about the binary 
modality (.; .). The fact that weakening the condition on a subinterval in a (.; .)-formula can 
only facilitate the satisfiability of the whole (.; .)-formula is expressed by the rules Mono. 

1.2. DC with infinite intervals. The formal definition of DC with infinite intervals as 
an extension of the logic of the real-time-based frame of ITL with infinite intervals below 
is after [ZDL95| . The main feature oi DC relative to ITL are state expressions which 
are propositional formulas that denote piece-wise constant {0, l}-valued functions of time. 
Unlike purely-JTL flexible symbols, DC state expressions denote functions on time points 
and not intervals. 

1.2.1. Language. DC vocabularies are ITL vocabularies extended by state variables P,Q,.... 
State variables are used to build state expressions S which have the syntax 

S ::= 0\P\S^ S 

and in turn appear as the argument of duration terms J S which are the £)C-specific con- 
struct in the syntax of terms t: 

t ::= c I X I f I J 5 I f{t, . . . ,t) 
Duration terms are regarded as flexible. The syntax of formulas is as in ITL. 

Flexible constants and 0-ary flexible predicate letters in DC are also known as temporal 
variables and temporal propositional letters, respectively. 

1.2.2. Semantics. We are only interested in real-time DC which is based on the ITL frame 

Fr = ((R, <, oo), (R+, +, 0, oo), Xa. max a — mina) 

where R = R U {oo} and R+ = {j; e R : x > 0}. 

DC interpretations extend ITL interpretations to provide values for state variables, 
which are functions of type R {0, 1} that satisfy the following finite variability require- 
ment: 

For every pair ti,T2 G R such that ri < T2, and every state variable P there 
exist an n < u; and r{ , . . . , € R such that ri = t{ < ... < = T2 and 
I{P) is constant on the semi-open intervals [r/, t-^-^), i = 1, . . . ,n — 1. 

Given an interpretation /, the values IriS) of state expressions S at time r G R are defined 

by the equalities 

/r(0) = 

Ir{P) = I{P){t) for state variables P 

IriSl^S2) = max{l-Ir{Sl),IriS2)) _ 

The value I^iJ S) of duration term J S at interval a G I(R) is defined by the equality 

max cr 

UIS)= J Ir{S)dT 
min a 

Note that hi! S) can be oo for a G I*"''^(R). The values of other kinds of terms and j= are 
defined as in ITL. 
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1.2.3. Abbreviations. The boolean connectives V, A and ^ are used in state expressions 
as abbreviations in the usual way. The following abbreviations are specific to DC: 

1 ^ ^0 

[5] ^/5 = £A^/0 
Sometimes £ is introduced as an abbreviation for j 1. 

1.2.4. Proof system. The axioms and rules below were proposed in [HZ92| for DC with 
finite intervals. 

(DCl) /0 = 
IdC2) Jl = i 
[DCS] JS>0 

(DCi) / 5i + / 52 = /(5i V 52) + /(5i A 52) 
{DC5) {JS = x;JS = y)^ JS = x + y 

{DC6) J 5i = J 52 if 5i and 52 are propositionally equivalent 
fIRl) = ^^[AV {A; [5] V l^S^)/A]^ 

[T/A]^ 

(IR2) = OMly. ^ [A V ( ^51 V [^5] ; A)/A]ip 

[T/A]^ 

These axioms and rules have been shown to be complete with respect to the finite- 
interval variant ((R, <), (R+, + ,0), Xa. max a — mino") of -Fr, relative to validity in the class 
of the ITL models which are based on the finite- interval variant of in [HZ92] . 

The correctness of IRl and IR2 is based on the finite variability of state. Since every 
finite interval can be partitioned into finitely many subintervals in which the state expression 
5 is constant, proving the validity of a property 99 about zero- length intervals and proving 
that the validity of ip at intervals with n alternations of the value of 5 implies the validity 
of the same property about intervals with n + 1 such alternations is sufficient to conclude 
that if holds about intervals with any finite number of alternations of the value of 5. This, 
by the assumption of finite variability, means that is valid about all intervals. The 
completeness proof from |HZ92 j involves two theorems which can be derived using the rules 
IRl and Ii?2, instead of the rules themselves. The second of these theorems does not hold 
for infinite intervals and therefore we modify it appropriately: 
(Tl) ^ = 0V(r51;T)V(h51;T) 
{T2) ^ = 0V^ = ooV(T;[51) V(T;r-51) _ 
The use of Tl and T2 instead of IRl and IR2 brings technical convenience to the repre- 
sentation of DC as a theory in ITL with DC1-DC6, Tl and T2 as its axioms in the proof 
of relative completeness. 

We take DC1-DC6, Tl and the infinite-interval version of T2 as axioms to form a 
relatively complete proof system for DC with infinite intervals and disregard the rules IRl 
and IR2 in the rest of the paper. The proof of the relative completeness of this system 
follows closely the pattern of the original proof from [HZ92j . It appears as part of the 
proof of the relative completeness of our infinite-interval-based system of probabilistic DC 
in Section [8l 

1.3. Probabilistic DC for real time. Probabilistic DC was first introduced for discrete 
time in |LRSZ93] . There is a chapter on discrete time probabilistic DC in |ZH04| too. Here 
follows the formal definition of real-time probilistic DC as introduced in jDZ99| . 
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1.3.1. Real-time probabilistic automata. The semantics of the real-time probabihstic DC as 
originally proposed in |DZ99j is based on a class of real-time probabilistic automata. 

Definition 1.3. A finite probabilistic timed automaton is a system of the form 

A= {S,A,so,{Qa,ae A),{pa : a £ A)) (1.2) 

where: 

5 is a finite set of states; 

A C {(s, s') : s, s' € S, s ^ s'} is a set of transitions; 
So € is called the initial state; 

Qa G [0, 1] is the choice probability for transition a & A; 
Pa € (R+ — > R+) is the duration probability density of transition a. 
Given the automaton A, Ag denotes {s' G S : (s, s') € A}. If a € A and a = {s, s'), then 
s and s' are denoted by and a"*", respectively. Choice probabilities qa are required to 

oo 

satisfy J2 Qa = ^ for Ag ^ 0. Probability densities pa are required to satisfy / pa{T)dT = 1. 

An automaton A of the form (11. 2p works by going through a finite or infinite sequence 
of states So, si, . . . , Sn, ■ ■ ■ such that (sj, Sj+i) € A for all i. Each transition has a duration 
di, which is the time that elapses before Sj changes to Sj+i. Thus individual behaviours of 
A can be represented as sequences of the form 

{ao,do),...,{an,dn),... (1.3) 

where Oj G A, di G R_|_, Oq = sq and af = a~,_-^ for all i. Having arrived at state s, A 
chooses transition a (z Ag with probability qa- The probability for the duration of a to be 

T2 

in [ri,T2] is / pa{T)dT. 

n 

Automata of the above type are closely related to the probabilistic real-time processes 
known from |ACD91l [^CD92] . 



1.3.2. DC models for real-time probabilistic automata behaviours. Probabilistic DC was 
introduced in [D Z99| for vocabularies built to describe the behaviours of given real-time 
probabilistic automata. The DC vocabulary La for (jl.2p has the states s € 5 as its state 
variables. The only other non-logical symbols are the mandatory ones. A DC interpretation 

of La describes the behaviour (|1.3p of A if for all i < w r € ^ dj, ^ dj implies that 

j<i j<i J 

Irisk) = 1 just for k = i. 



1.3.3. Satisfaction probability of DC formulas and probabilistic DC for real time. Given a 
real-time probabilistic automaton ()1.2|) . the set Wa of all the interpretations of La which 
describe possible behaviours of A can be endowed with a probability function //a- Given 
A C Wa, ^AiA) can be defined as the probability for A to have a behaviour described 
by an interpretation in A. The sets A in the domain of fx a should be chosen from some 
appropriate boolean algebra of subsets of 2^^. Details on the definition of fiA, including 
explicit formulas for ^a in terms of Pa and qa, can be found in [DZ99| . 

Given r € R+ and a DC formula ip in the vocabulary La, the value of the PDC term 
/^A (¥')(■'") is defined as 

/iA(U GWa: I, [0,r] h (/,}). 
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Probabilistic DC for real time was introduced in [DZ99] by enhancing DC with terms of 
the form ii[(p){t) where (/9 is a DC formula in La for some automaton A and t is a term. 
The values of such terms were defined by the equality 

Note that Ifj{^[Lp){t)) depends on a only through the value of t. This means that fi{ip){t) 
is rigid iff t is. 

2. Probabilistic ITL with infinite intervals 

In this section we extend abstract-time ITL with infinite intervals by a probability 
operator which generalises the operator /u(.)(.) of PDC from [LRSZ931 IDZ99] . The new 
probability operator is more expressive and syntactically simpler than (.)(.). Instead of 
the binary n{ip){t) we use a unary p{if) which takes the formula argument ip of /j,. The 
semantics of p{(p) given below makes it clear that the term argument t which determines 
the length of the interval at which ip is to be evaluated need not be written separately 
because ^{(p){t) can be expressed as p{{'p A i = t;T)). To accomodate the arithmetics 
of probabilities, abstract-time frames for the new system of probabilistic ITL include a 
similarly abstract probability domain. We use the acronym PITL for the new system. 
PITL and its proof system is the main topic of this paper. As it becomes clear below, PITL 
can be extended to PDC in a straightforward way. 

2.1. Language. PITL vocabularies are two-sorted, with durations and probabilities being 
the two sorts. For this reason, instead of just arities, the non-logical symbols have types 
which determine the sorts of each argument in the cases of function and relation symbols, 
and the sort of terms built using the symbol for constants, variables and function symbols. 
A term or atomic formula s{ti, . . . is well formed only if the sorts of the argument 
terms ii, . . . , t^s match the type of s. 

Along with the mandatory non-logical symbols 0, oo, + and i of the duration sort, 
PITL vocabularies are required to include the rigid constants and 1 and addition + of 
the probability sort. Equality = is included for each sort too. We use the same characters 
to denote these otherwise distinct symbols as long as this causes no confusion. We assume 
countably infinite sets of individual variables of either sort and no more than countably- 
infinite sets of other symbols in PITL vocabularies. 

The syntax of PITL terms extends that from ITL by terms of the form p{ip) where (p 
is a formula. These terms are of the probability sort and we call them probability terms. 
FV{p{ip)) = FV{ip) and p{ip) is rigid iff ip is rigid. 

The syntax of formulas is as in ITL. 

2.2. Models and satisfaction. The main part of a PITL model is a collection of interpre- 
tations of the given vocabulary into a given two-sorted frame for ITL with infinite intervals. 
These interpretations are meant to describe the possible behaviours of a modelled system. 
Unlike the original PDC models, which assume a global probability function that is derived 
from the laws of probabilistic behaviour of appropriate automata, we assume a probability 
distribution to model the probabilistic branching of every behaviour at every time point. 
Restrictions on the system of probability distributions which, e.g., force them to model the 
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choice and duration probabilities of an appropriate automaton can be imposed by additional 
axioms such as those from Section [6.31 

Definition 2.1. A PITL frame is a tuple of the form 

F = ((r,<,oo),(D, +,0,oo), ([/,+, 0,1), m) , 

where {T,<,oo), {D,+,0,oo) and m are as in frames for ITL with infinite intervals and 

(f/, +,0, 1) is a commutative monoid with the additional constant 1, which is called the 

probability domain. {U,+,0,1) is supposed to satisfy some additional axioms. Here follows 

the fuh list: 

(Ul) x + {y + z) = {x + y) + z 

{U2) X + y = y + X 

(US) x + = x 

(C/4) x + y = x + z^y = z 

{U5) x + y = 0^x = y = 

{U 6) 3z{x + z = y\/y + z = x) 

IU7) / 1 

We use the same symbols for + and in both duration domains and probability domains, 
despite that they are different entities, as long as this causes no confusion. Probability 
domains are assumed to be ordered by the relation < which is defined by (II. ip like in the 
case of durations. 

For the rest of the section L denotes some PITL vocabulary and F is some PITL frame 
with its components named as above. 

Definition 2.2. A PITL interpretation of Ij into F is a function I on L which satisfies the 
conditions: 

I{c),I{x) G A for rigid constants c and individual variables x where A is either D or 
U, depending on the sort of the symbol; 

/(/) G (^1 X ... X A^f — >■ A^f^i) for rigid function symbols / where Ai, . . . ,A^f^i 
are either D ox U each, depending on the sort of the respective argument of / and the sort 
of the value of /. 

I{R) G (^1 X ... X A^ji {0, 1}) for rigid relation symbols R where Ai, . . . , ^#_r are 
chosen as for function symbols; 

/(c) G (i(r) ^ A), I{f) G (i(T) xAiX...xA#f^ and 
I{R) G (I(T) X ^1 X ... X A^ji {0, 1}) for flexible c, / and R where the ^s are chosen 
as for rigid symbols; 

/(O) = 0, /(+) = + and /(=) is = for 0, + and = of either sort and its corresponding 
domain in F. /(I) is the constant 1 from U. I{oo) = oo and I{i) = m like with ITL 
interpretations. 

Consider a non-empty set W, a function / on W into the set of the PITL interpretations 
of the fixed vocabulary L into the fixed frame F and a function P of type W x T x 2^ — > U. 
Let I^ and P'^ abbreviate /(w) and Xt, X.P{w,t, X), respectively, for all w G W. I^ and 
P"^ , G W, are intended to represent the set of behaviours and the associated probability 
distributions for every r G T in the F-based PITL models for L to be defined below. 

Definition 2.3. Let t ^T. We define the equivalence relation =r on W for all r G T by 
putting w =r V \S 

I^{s) = F{s) for all rigid symbols s G L, except possibly the individual variables; 
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I'^{s){a, di,. . . , d^s) = I^{s){<7, c?i, • • • , d^s) for all flexible s G L, all di, . . . , d^g from 
the appropriate domains and all a G I(r) such that maxcr < r; 

P^{t', X) = P^ij', X) for all X C W and ah r' < r. 
Given u; G W and t € T, we denote the set 

{v & W : V =T w} 

by W^,^. 

Members of W which are r-equivalent stand for the same behaviour up to time r. If 
Ti > T2, then =riC=T2 and w =00 v holds iff P'^ = P'" and and P agree on all symbols, 
except possibly some individual variables. W^,^,- is the set of those v G W which represent 
the probabilistic branching of w from time r onwards. 

Definition 2.4. A general PDC model for L is a tuple of the form {F,W,I,P) where F, 
W, I and P are as above and satisfy the following requirements for every w G W: 

W is closed under variants of interpretations. If u; G W, x is an individual variable 
from L and a is in the domain from F which corresponds to the sort of x, then there is a 
V eW such that P" = P^' and F = {1"")%. 

pw fQpresents probability measures. The function XX.P'^{t,X) for every w G W and 
T G T is a finitely additive probability measure on the boolean algebra 

(2W,n,U,0,W). (2.1) 

and satisfies the equality 

P"'(r, X) = P'^ir, X n W^,^) for all X CW, 
which means that XX.P'^{t,X) is required to be concentrated on the set W^,,-. 

Informally, a general PITL model is based on a set W of descriptions of infinite be- 
haviours made by means of the ITL interpretations I"^ which arc associated with each 
w G W. All the interpretations I'^ arc into the same frame -F and are supposed to treat 
rigid symbols identically to express that, c. g., arithmetics is the same in all behaviours. 
It is assumed that, given a finite initial part of a behaviour w until time r, the modelled 
system can proceed according to a description within the set W^^t- of the behaviours which 
are the same as w up to time r. The probability for the system to choose a behaviour in 
XCW^,r is P^{t,X). 

Next we define term values Wcj{t) and the satisfaction of formulas in PITL models. The 
definitions of term values, the modelling relation \= and its associated notation |.| for terms, 
formulas, models and time intervals in PITL are given by the following clauses, where the 
components of the model M are named as above: 



Term values 



W(j{x) = I^{x) for variables x 

Wa{c) = I^{c) for rigid c 

wMiti,...,t#f)) = I^{f)Mt,),...,Wait#f)) for rigid/ 

Wa{c) = /"'(c) (cr) for flexible c 

wM{h,-..,t#f)) = I^{f){a,w^{ti),...,wait#f)) for flexible/ 

Wa{p{i^)) = P"'(maX(7, IV'lM.ro.a) 
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Here |V'1m,io,(t stands for 

(2.2) 

where X X 5 • • • ; *^?T, 8)1*6 the free variables of ^. This means that [^]m,u),o- consists of the 
behaviours v which are max cr-equivalent to w and satisfy ifj at the infinite interval starting 
at mino". 



Satisfaction of formulas 
M,w,a^ 1. 

M,«;,a h R{ti, ■ ■ ■,t#R) iff /"'(i?)K(ti), . . .,w„{t#R)) = 1 for rigid R 
M,w,a\= R{ti, . . .,t#R) iff I'"{R){a,Wa{ti), . . .,Wa{t#R)) = 1 for flexible R 
M, w , a \= {ip ^ ip) iff either M, w,a ^ if or M, \= ip 

M, \= {if; ip) iff M, w,ai \= ip and M, 'w,a2 \= ip 

for some ai S lf^^{Tp) and o"2 G such that C7"i; (72 = cr 

M, cr 1= 3x(/7 iff M, (T ^ (/? for some v G W and some a from the 

domain of the sort of x such that P"" = P"" and P = 

Obviously M, cr ^ V iff I^)^ [minu, oo] \=itl V' in non-probabilistic /TL for tjj with 
no occurrence of probability terms. 

The probability functions \X.P^[t,X) for w G W and r G T in general PITL models 
M = {F,W , I , P) are needed just as much as they provide values for probability terms. 
That is why these functions need not be defined on the entire algebra (j2.ip . Indeed, it is 
sufficient for XX.P'^{t,X) to be defined on the (generally smaller) algebra 

{{MM,w,a : V G L,c7 G i(T),maxc7 = r}, n, U, 0, W^,^), 

which we denote by 'BM,w,r- This observation justifies the broadening of the definition of 
general PITL models as follows. 

Amendment to Definition 12.41 Structures of the form M = {F, W, P, I) from Definition 
\2.4\ but with their probability functions XX.P^{t,X) defined just on the respective algebras 
'Bm,w,t, fl'^e general PITL models too. 



Example A PITL model Ma = (-^R^WjP, /) which is based on the real-time frame Fr 
and describes the working of a given probabilistic automaton A of the form ()1.2p from 
Definition 11.31 can be defined as follows. The vocabulary of Ma includes of the mandatory 
symbols 0, +, I, . . . , the transitions a G A as flexible 0-ary predicate letters, and the 
choice probabilities qa as rigid constants. As for the duration probability densities pa, it is 

T 

convenient to have rigid unary function symbols Pa which denote the functions Ar. J pi,{t)dt. 



The vocabulary does not provide direct reference to the states of A as done in PDC; 
behaviour is instead described in terms of transitions whose beginnings and ends mark the 
times of state change. Every possible behaviour (II. 3p is described by a w G W such that 



j<i j<i 



1. /"'(a)([Ti, T2]) = 1 holds only if [ri, T2] is one of the intervals 
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dj, J2 '^j , i < and a is the corresponding Oj. Given w € W and r G R_(_, P^{t, X) 

j<i j<i 

is defined as the probabihty for the finite behaviour described by w up to time r to develop 
into an infinite behaviour from X. For instance, let 

(FR,I-),[0,r] Nr;a), 

which means that the interval [0, r] accommodates a finite sequence of transitions which 
ends at a and a new transition is to begin at time r. Then, ii b & A and b~ =0"*", P"" 
satisfies the equality 

P'"(r,[(6Ax<^A^<y;T)]MA,^,[.,.]) =(?b / Pb{t)dt. (2.3) 

Here {{b A x < £ A i < y; T)]^^^ j^ ,-] is the set of all the behaviours in which the part of w 
until time r is continued by transition b and the duration of b is in the range [I^{x), I"'{y)]. 
The equality ()2.3p describes the probability for such a development to take place. If the 
source state of 6 is sq, then (|2.3p holds for r = and all w as well. (12. 3p entails that the 
formula 

-(T; a;£ = OA p{{b A x < £ A £ < y;T)) ^ qb.{Pb{y) - Pb{x))), (2.4) 
is valid in Ma- This formula means that the probability for a behaviour satisfying (b A 
X < £ A £ < y;T) to take place after (T;a) is qb-{Pb{y) — Pbi^)), which, by the chosen 
interpretation of P^, is equal to the righthand side of (|2.3p . 

Describing probabilistic real-time automata in a system of infinite interval probabilistic 
duration calculus which corresponds to PITL is the topic of Section 16.31 

We conclude the definition of PITL semantics with a remark on the underlying model 
of time. As mentioned in the introduction, PDC and PITL are essentially branching-time 
interval logics. An alternative way to introduce the semantics of PITL could be to use 
partially ordered time domains (T, <) with some additional conditions on their maximal 
linearly ordered subsets. Given a PITL model (F, W, /, P) as described above, we can 
construct the corresponding partially ordered time domain by taking 

{(r,W^,,) :r Gr,w;G W} 

as the set of time points and defining the partial ordering by the clause 

(ri, Wi) < {t2, W2) iff ri < T2 and Wi 2 W2. 

The chosen way to define PITL models saves us the need to reformulate results on ITL 
which are essentially linear-time and are therefore known in the literature just for the sake 
of notation differences. 



3. A PROOF SYSTEM FOR PITL 

In this section we propose axioms and a proof rule for PITL. If added to the complete 
proof system for ITL with infinite intervals from [WX04] given in Section 11.1.41 these 
axioms and the rule form a system which is complete for PITL with respect to its abstract 
semantics introduced in Section 12. 2i This is demonstrated in Section [H Most of our axioms 
and rule are modifications of those for PNL from [GueOO] . The modifications were made 
to account for the use of infinite intervals instead of the NL expanding modalities. Some 
simple infinite-interval-specific properties of p{.) are handled by completely new axioms. 
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3.1. The system. 

Extensionality 

(P.) {i = x;p{^) = y) ^ p{i£ = x;^Ij)) =y 

(Poo) £ = 00^ {if 4^ p{ip) = 1) 

- h If A £< 00 ^ p{ip) < p{x) 
Arithmetics of probabilities 



(Pt) p(T) = 1 

{P+) p{y^)+pW=p{vy'il^)+p{fAi^) 

P expresses that the probabihty function P(/,p), max o- which is used to evaluate Ia{p{ip)) 
depends on the end point maxcr and not on the whole reference interval cr. Poo means that 
having the entire future as the reference interval renders all properties deterministic: no 
alternative behaviours are possible "from 00 on"; the interpretations /' from {I',P') G 
^(/,P),oo can differ from / only on individual variables and such differences are disregarded 
in the definition (|2.2p of |9?]m,(/,p>,ct intervals a. The rule P< means that if a property 

X is a logical consequence of another property ip, then the probability of x is at least as big 
as that of ^. The probabilities of ip and x are compared in the context of a finite- interval 
condition ip. The case of an infinite-interval condition is handled by axiom Poo. The 
axioms Pj_, Py and P+ are self-explanatory. The correctness of the axioms and the rule is 
straightforward. The use of h in P< is to emphasize that we intend to apply this rule only 
to theorems. The maximal consistent sets of formulas which take part in our completeness 
argument for this proof system below need not be closed under P<. 

The rule P< can be classified under the category of probability arithmetics as well, 
because of the meaning of <, which is defined by (jl.ip . However, we find its role as an 
extensionality rule, which is further highlighted by the derived rule PITLl below, to be 
more important. 



3.2. Some useful PITL theorems and a derived rule. The PITL theorems PITL2 and 
PITL3 and the derived rule PITLl below are used in proofs in the rest of the paper. PITLA 
is included to highlight the role of infinite intervals in the semantics of probability terms 
and the effect of r-equivalence on probabilities, respectively. 



700 N 



{ip\ I = 00) \J {if M = 00) ^ ^ x) 

ip =^ p{-il;) < p{x) 

if <^ 



(P| 

(PITLl) ^^^^ ^ ^^^^ 

{PITL2) p{^)+p{^^) = l 

{PITL3) p{ip) < p{ip) p{^ A ^(^) / 

[PITLA) plif) =p{ipA£ = oo) 
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Here follows a derivation for P^. The purely ITL parts are skipped and marked ^^ITL" 
for the sake of brevity. Applications of the axioms U1-U7 for arithmetics on probability 
domains are skipped without comments. 

1 {(p;i = oo) =^ {ip ^ x) assumption, ITL 

2 (f A i < oo ^ p{tlj) < p{x) 1) -P< 

3 £ = oo A ip^ {p{'4)) = A p{x) = 0) assumption, Poo, PITL2 

V(p(V') =OAp(x) = 1) 

v(p(V) = l^v{x) = 1) 

4 A £ = oo ^ p{il)) < p{x) 3, ITL 
5£<ooV£ = oo /TL 

6 ^^p{'^)<p{x) 2,4,5 
PITLA is obtained by applying to the ITL theorems 

(T; £ = oo) V (T A £ = oo) =J> ((^ =J> 99 A ^ = oo) and 
(T; £ = 00) V (T A ^ = 00) ^ = 00 A ^ (^). 

The rule PITLl is proved by two applications of P5° too. The proofs for PITL2 and PITL3 
below are included as simple examples of the working of the axioms about arithmetics of 
probabilities. 



PITL2: 



1 ipA^ip^± ITL 

2 p{(p A ^if) = p{±) 1, PITLl 

3 p{ip A ^v?) = 2, Pi_ 

4 ((i? V -.(^ 44> T /TL 

5 p{ip V ^(/9) = p(T) 4, P/TLl 

6 A ^v?) = 1 5, Pt 

7 p(v7) +p(^(^) =p((^ A ^99) A ^99) P+ 

8 p{ip)+p{^yp) = l 2, 6, 7, ITL 



PITL3: 



1 piijj) < p{ip V V) -P<° 

2 p((^) + A -193) = ^1(93 A V' A -■(/?) + ^1(93 V 7/; A -199) P+ 

3 p(93) A-93) =p(93 VV) 2, PITLl, P^ 

4 ^(93) < p(-(/') =^ ^(v?) < ^(93 V V') 1 

5 yi(9i?) < p{'ip) =^ piip A -.93) 7^ 3, 4 



4. Completeness of the proof system for PITL 

In this section we show that the proof system for PITL from Section [3] is complete. To 
exploit the full potential of the abstract semantics of PITL, we prove a strong completeness 
theorem. It states that every consistent set of PITL formulas has a model. This is convenient 
for the study of further extensions of the logic whose syntactic elements can be represented 
by adding infinitely many non-logical symbols and axioms about them, or when a modelled 
system is described using infinitely many formulas. 
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The main step in this proof is the construction of what is known in model theory as 
the elementary diagram A of a PITL model M for an arbitrary given set of PITL formulas 
r which is consistent in the proposed proof system for PITL. A is a description of M 
in a PITL language whose vocabulary has names for all the elements of M. To avoid 
repeating the technical steps which are not specific to the probability operator of PITL and 
can be found in the completeness proof for (non-probabilistic) ITL with infinite intervals 
from [WX04] . we introduce a translation of the involved PITL languages into corresponding 
ITL languages with appropriate vocabularies and use it to view subsets of the constructed 
diagram and the whole diagram as complete Henkin theories in (non-probabilistic) ITL as 
well. 

The model M that we construct is very similar to a canonical model. We stop short of 
calling it canonical, because of the dedicated technique which is used to build the behaviour 
representations v which are needed to populate the sets [(/jIa/.w.o- for c and w such that 
M, w^a \= p{ip) 7^ is supposed to hold. 

Without losing generality, we consider only sets of formulas T which contain i = oo. 
This way we restrict ourselves to seeking the satisfaction of T at an infinite interval. The 
satisfaction of a consistent F which is not consistent with i = oo can be achieved through 
the satisfaction of 



where c is some fresh rigid constant. 

The completeness argument involves the application of some non-trivial results about 
interpolation in ITL. We present them first. 

4.1. Interval-related and Craig interpolation in ITL w^ith infinite intervals. Inter- 
val-related interpolation for ITL with finite intervals, NL and a subset of DC with finite 
intervals and projection onto state were formulated and proved in [GueOlt rGue04bj . Craig 
interpolation was shown to hold for these logics there too. Here we just formulate interval- 
related interpolation for ITL with infinite intervals in the special form which is convenient 
for our completeness argument. 

Let L and L' be two vocabularies for ITL with infinite intervals. Let L and L' share 
their rigid symbols, including the individual variables, and let the only flexible symbol 
occurring in both L and L' be i. Let there be a bijection between the flexible symbols from 
L \ {£} and those from L' such that the symbol s' from L' which corresponds to s € L is 
of the same kind and arity as s. Let if' denote the result of replacing each flexible symbol 
s S L \ {£} in a formula if written in L by the corresponding s' € L'. 

Theorem 4.1. Let ^ be a finite set of formulas and (p and ip be two more formulas, all 
written in L. Let c be a rigid constant in L. Let 



\ XG* / 

be theorem of ITL with infinite intervals. Then there is a formula 9 written in L such that 

ipAc<ooA£ = oo^ {£ = c A9;£ = oo) and {£ = c A 6';£ = oo) ^ ip' 
are theorems of ITL as well. 



{£ = oo} U {(7 A £ = c; T) : 7 G r} 



(4.1) 




We use the standard form of Craig interpolation: 
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Theorem 4.2. Let Li and L2 be two ITL vocabularies. Let ipi be a formula of ITL with 
infinite intervals written in the vocabulary Lj, i = 1,2, and 

ipi =^ ip2 

be a theorem of ITL with infinite intervals. Then there is a formula written in the vocab- 
ulary Li n L2 such that both 

ipi ^ 9 and 9 ^ (p2 

are such theorems. 

The proofs of the two interpolation theorems are simple variants of those of the theorems 
known from [GueOlj , which in their turn follow the pattern of the model-theoretic proof of 
Craig interpolation that can be seen in, e.g., |CK73j . 

4.2. Consistency in PITL. 

Definition 4.3. Given an ITL (PITL) vocabulary L, /TLl (PITLj^) denotes the set of the 
theorems of ITL (PITL) written in a given vocabulary L. Given L and a set of formulas 
r written in L, CnL,/TL(r) (C?iL,p/TL(r)) denotes the set of formulas written in L which 
can be proved using formulas from ITLj^ U T {PITLj^ U T) and the propositional logic rule 
Modus Ponens if, ip ^ ip / il^. 

Definition 4.4. A set of ITL (PITL) formulas T written in a vocabulary L is consistent if 
1. CnLj2"i(r) (_L CnL^p/ri(r)). A consistent T is maximal in L if it has no consistent 
proper supersets of formulas written in L. 

Just like in first-order predicate logic, a set of formulas T has witnesses in some set of 
rigid constants C if for every existential formula 3xip € T there is a witness c G C such that 

[c/x]ip e r. 

Here follows the Lindenbaum Lemma for PITL as known from numerous predicate and 
modal logics: 

Theorem 4.5. Let T be a consistent set of formulas PITL written in some vocabulary L 
and C be a countably-infinite set which consists of infinitely many fresh constants of both 
the sort of durations and the sort of probabilities. Then there is a maximal consistent set 
of formulas written in L U C which contains T and has witnesses in C . 

We omit the proof for PITL, because it is the same as that for ITL with abstract 
semantics and finite intervals which can be seen in |Dut95aj . The proof for ITL with 
infinite intervals was omitted in |WX04] for the same reason. 

4.3. A vocabulary for the elementary diagram A for the PITL model M. The 
PITL vocabulary L/j which we introduce next is structured so that a PITL model M for 
the extension of some given PITL vocabulary L by a countable set of fresh rigid constants 
that we construct below can be fully described in it in terms of rather simple quantifier- 
and variable-free formulas which can be regarded as making up a diagram A for M in 
the model-theoretic sense. L^) contains rigid constants to name all the elements of the 
duration domain and the probability domain of M and a separate set of flexible symbols to 
describe the behaviour of the flexible symbols of L in each interpretation from M. Indeed, 
we construct an elementary diagram for M in L^), which consists of all the formulas in L/j 
which hold at some infinite interval in M under the convention that formulas written in the 
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various sets of flexible symbols mentioned above are understood to hold at the respective 
interpretations. 

L^) is the union of the following sets of symbols: 

1. The rigid symbols of L, including the individual variables, and the mandatory flexible 
constant I. 

2. Two countably-infinite sets of fresh rigid constants and of the sorts of durations 
and probabilities, respectively, whose structure is explained below. 

3. The fresh flexible symbols s"^, € 5, of the same kind and arity as s, for each flexible 
s G L \ {£}. The countably-infinite index set S is defined below. 

C"^ and are assumed to be the countably-infinite disjoint unions of some countably 
infinite sets Cf. and C^, k < to, respectively. Similarly, S is assumed to be the countably- 
infinite union of the sets Sk, k < uj. We denote |J Cf, [J Cf and |J Si by C<^, 

i<k i<k i<k 

and S'<fc, respectively, for all k < u). We denote the vocabulary which consists of the rigid 
symbols of L, the rigid constants from and and the flexible symbols for 
u € S<k by L<fc for all k < uo. We denote the extension of L<fc by the flexible symbols s'^ 
for V G 5<fc+i by V^k+v 

The set Sq is the singleton {()}, which consists of the empty list (). 

Sk+i = {{y, c,ip) : u ^ 5<fc, c G C<^, Lp is written in L<fc} for all k < uj. 

In the construction of A below, given a v S, A'^ stands for the result of replacing the 
flexible symbols s G L \ {£} in a term or formula A written in the vocabulary L U U 
by their corresponding symbols s'^. We denote the vocabulary which consists of the rigid 
symbols of L, including the individual variables, i and the flexible symbols s"^ for some fixed 
G 5 and all flexible s G L \ {£} by L*^. 

4.4. A translation of PITL formulas into ITL. Let L be a PITL vocabulary. We 
define its corresponding vocabulary Ijjtl for two-sorted (non-probabilistic) ITL with infinite 
intervals with the sorts of durations and probabilities as in PITL. Roughly speaking, Ijjtl 
is an extension of L by fiexible constants and function symbols which are meant to simulate 
probability terms. Here follows the precise definition. 

Definition 4.6. Ijjtl is the union of the vocabularies L/j^^ ^, k < to. Jjitl,o is L. Given 
^iTL,i-: i ^ k, IjiTL,k+i is the set of flexible constants and function symbols 

{Pip : (/? is a formula written in ^iTL.k and contains at least one symbol from ^iTL.k}- 

i<k 

The values of the symbols p<^ are of the probability sort. If ip has no free variables, then 
Pip is a flexible constant. Otherwise p,p is a flexible function symbol whose arity is 
and the sort of the ith argument of p,^ is that of the ith free variable of (/? with respect to 
some flxed ordering of these variables, i = 1, . . . , |-Fy((/7)|. 

Next we deflne a translation t of PITL terms and formulas written in L into ITL 
formulas written in ^itl- The goal of t is to systematically replace the occurrences of 
probability terms by terms built using the corresponding constant and function symbols 
from Deflnition 14.61 To achieve this, t works by the following rule: 

\p{^i)/zi,...,p{^n)/zn]A (4.2) 
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where denotes A a term or formula with no probabihty terms is translated into 

)/zi,... )/Zn]A (4.3) 

where Xj^i, . . . , Xi^mi are the free variables of ipi in the fixed ordering mentioned above, 
i = l,...,n. If FV^Tp) = 0, then the expression pt(^.)(xi^i, . . . , Xj^mJ denotes just the 
flexible constant Ptd^i)- 

Example If there are no probability terms in ip and FV{ip) = xi, then t(p((^)) is the term 
p^(xi) andt{p{i£ = X2;pi(p) < pi^if)))) is p(^=^2;p^{:r-i)<P^^(^i))(2^i' ^2)- 

Every term and formula can be represented in the form (14. 2p in a unique way up to 
renaming the distinct variables , . . . , z„ , if we assume that all of these variables have 
free occurrences in A and that the formulas ipi, . . . ,ipn are all different. The semantical 
correctness of the substitution in ()4.2p and (14. 3p is not relevant to this definition of t. Given 
a set of PITL formulas T, we denote {t(7) : 7 G T} by t(r). 

Terms built using the function symbols from Ijjtl in translations of PITL formulas 
always have the free variables of ip as their argument terms. That is why formulas written 
in JjiTL which contain p^ in terms of other forms are not in the range of t. However, they 
always have equivalents of the form t{ip) for appropriate PITL formulas (p written in L. To 
realise that, note that if FV{^) = {xi, . . . , x„} and yi, . . . , y„ are n fresh variables of the 
appropriate sorts, then p^(ti, . . . , t„) = z is equivalent to 

(n / n 

/\ti = Vi A3xi . . . 3xn i /\yi = Xi A p^(xi, ...,Xn) = Z 
1=1 \i=l 

Furthermore, every formula written in Ijjtl has an equivalent in which the terms of the 
form p^(ti, . . . ,tn) appear only in atomic formulas of the form p^(ti, . . . , t„) = z where z 
can be chosen to be different from xi, . . . , x„. 

Now we turn to the correspondence between derivability in PITL and ITL with infinite 
intervals. 

Proposition 4.7. Let L 6e a PITL vocabulary and T be a set of formulas written in L. 
Then 

t{Cni^,PiTL{r)) = Cn-L„^jTL{t{PITLi^ur)). 

Proof. Simple induction on the construction of proofs. □ 

Corollary 4.8. A set of PITL formulas T written in a vocabulary L is consistent iff 
Cn-L,jj,^jTL{PITLz, U r) is consistent. 

Proof t(_L) is _L. □ 




4.5. The weakened proof system PITL . The model M constructed below is for L U 
C^UCP. It contains one class of w G W which are the same except possibly for the inter- 
pretations I"' of some individual variables for every u € S. Let denote a representative 
for the class of interpretations corresponding to i'. Then /"'"(s) is defined by the formulas 
from the diagram A for M which describe for all flexible s G L \ {£}. We are interested 
in having a set of formulas F which contains the formula i = 00 satisfied at some infinite 
interval [ro,oo] and some interpretation / in M. Our construction of M provides that if 
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c ^ and n is defined by the equality m([ro,ri]) = I'^"{c) in M, then Wy and W(^u^(.,ip) are 
related as follows: 

If M,Wy, [ro,ri] |= / and -Fy((/?) = {xi, . . . then Wy =r^ ■'^(i.,c,</p> 

and M,v, [tq, oo] ^ if for some v such that = (/"'(''■'=^^> i:;^^"^ and 

This means that t/^(,.,c,vp) ^ ^M.^j^Jrcn]- 

Furthermore, we are interested in enforcing PITL local logical consequence at each 
particular w € W, but not across different w. That is why in the construction of A below 
we restrict the applicability of the P/TL-specific axioms P-, Pqo, Pi, Pj and P+ and rule 
P< from Section [3] in sets of formulas written in L/) . We allow only instances of P , Poo , 
P<, Pj_, Pj and P+ in which all flexible symbols except i have the same superscript u £ S. 
The resulting weakened proof system is tied to the vocabulary L/j. We denote it and the 
set of its theorems written in a given sub- vocabulary L' of L^i by PITL~ and PITL^,, 
respectively. Theorem 14.51 applies to consistency with PITL^, without change. Similarly, 
we have the following variant of Proposition 14.71 

Proposition 4.9. Let L' be a sub-vocabulary o/L/j and T be a set of formulas written in 
L'. Then 

We also use the following somewhat more involved technical consequence of the re- 
stricted use of the instances of P , Pqo , P< , P± , Py and P+ and the restricted application 
ofP<. 

Lemma 4.10. Let a E PITL^, for some sub-vocabulary L' of J-i£). Let C be the set of 
the rigid constants of L' . Then there exist finitely many superscripts i/i , . . . , z/„ G 5 and 
theorems f3i € PITLi,i^njc, i = 1, . . . ,n, such that the formula 

n 

A °VA ^ a (4.4) 

i=l 

is provable without the use of P, Poo, Pi, Pt o,nd P+ and P<, that is, essentially in 
(non-probabilistic) ITL with infinite intervals. 

Proof. Consider a PITL^ proof of a in L'. Let z^i, . . . , be all the superscripts of flexible 
symbols occurring in formulas from this proof. If a formula /3 from the proof is written 
in the vocabulary h'^' U C for some i € {1, . . . ,n}, then /3 G PITLj^-^njc- To realise this, 
notice that changing all the superscripts of the flexible symbols in the formulas from the 
part of the proof which leads to /3 to i^i preserves its correctness. We can choose Pi to be 
the conjunction of all the formulas from PITLi,i^i[jc in the chosen proof of a, i = 1, . . . , n. □ 

Consistency in the rest of this section is with respect to PITL~ . 

4.6. The elementary diagram A for M. Here follows the precise construction of the 
diagram A. 

A is the union of the infinite ascending sequence of sets of formulas 

Ao C A'l C Ai C . . . C A'fe C Afc C . . . (4.5) 
where A^. and A^^^^ consist of formulas written in L<fc and L'^^^-^, respectively, for each 
k < uj. Aq is a maximal consistent set with witnesses in Cg U Cq which contains the set 
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|-j/(> : ry g Y}. Such a set exists by Theorem 14.51 For an arbitrary k < uj, A^_,_^ is the 
extension of by 

the formula ip'^ and the formulas (□V(x'^ <^ x'^ ) ^ ^ = = oo) for all x written in L, 

(4.6) 

for each pair of indices € S<k and i^' £ Sk+i such that v' = (i^, c, (/?) and 
(pi^") ^0M = c;i = oo) € Afc. 

Lemma 4.11. If is consistent, then A^_(_]^ is consistent too. 

The proof of this lemma is the key technical step in the entire completeness argument 
about our proof system for PITL. 

Proof. Assume that A^ is consistent and A^^^ is not for the sake of contradiction. Since 
proofs in PITL^ are finitary, there is a finite inconsistent H C A^^-j^. H ^ A^., because A^ 
is a consistent set. Hence there are finitely many v' G S^+i \ S<k such that flexible symbols 
superscripted by u' occur in formulas from S. These formulas are of some of the forms 
(|4.6p . Below we prove that the assumed inconsistency of H is preserved after withdrawing 
the formulas of the forms (j4.6p for each such ly' G Sk+i \ S<k- The remaining formulas in H 
are also in A^. This will bring contradiction with the assumed consistency of A^. Let us 
choose one such v' and let i^' = {v, c, ^p). This means that ip{^'^) ^ Ai = c]i = oo) G A^. 
Then the formulas (14. 6p for the chosen u' and u are in A'^,^^. Let the formulas in H with 
flexible symbols superscripted by i^' be (□V(xJ' <J=^ Xi') /\ i = c;£ = oo), i = 1, . . . ,m, and 
ip'^ . Let Hp- be the set of the remaining formulas from H, which have no flexible symbols 
superscripted by u'. Then 

h^,^^- (/\H^)^ U(nv(xr^xr')A^ = c;^ = oo)^^^'^'). 
L<fc+1 \i=l ) 

Now Proposition 14.91 entails that 

^ITL t{a) ^ (^t(/\ E^) ^ (J\{ay{t{x^^) ^ t(xf )) A£ = c;i = oc)^ ^t{^-^')^ ^ 

where a G PITL7, . According to Lemma 14.101 there is a finite set of superscripts 
z^i, . . . , € S<k+i and this many formulas /3i G PITL-^^^yjf,d ^.^p , i = 1, . . . ,n, such that 



infinite intervals. Without loss of generality we can assume that (3i G PITL^^r^^Qd jj^p and 



(j4.4p is provable without the P/TL-speciflc axioms and rule, that is, essentially in ITL with 
infinite intervals. Without loss of gener 

P2 € PITL-^^i ^j(jd yj(jp . Then we have 

t(nv/3i) A t(nV/32) A A (aV(t(xr) ^ t(xr')) A ^ = c; ^ = cx)) ^ -t((^-') 

4 = 1 / 

All the flexible symbols on the right of the main =^ in this formula except H. are superscripted 
by either v or v' and the superscript u' does not appear on symbols in the formula on the 
left of Hence by Craig interpolation (Theorem I4.2p some ITL formula A written in 
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(L" U C^^ U C^k)iTL satisfies both 

hjTL t E^) A /\ DVA j ^ A (4.7) 

and 

m 

^ITL /\{amx-) ^ t(xr')) Ai = c;i = ^)^{{XA t(nV/3i)) ^ (t(nV/32) ^ -t((^-'))). 

(4.8) 

The formulas AAt(nV/?i) and t(nV/?2) ^ -1(99'"') in (|MD are written in {L''UC^^UC^^)itl 
and (L^ U U C^^)jtl, respectively. A bijection can be defined between the sets of 
the flexible symbols of these two vocabularies, excluding i, in which the flexible symbol 
s' G (L^' U C^;- U C|J/TL \ {£} which corresponds to s e (L" U 0;- U C^fc)/TL \ {^} is 
obtained by changing all the superscripts 1/ in s to i^' and vice-versa. If s is of the form 
Pt(i/i) (see Definition 14. 6p , it may have more than one occurrence of a superscript in the 
subscript formula t(V')- All these occurrences have to be changed. This bijection allows 
us to apply interval-related interpolation (Theorem 14. ip to ()4.8p and conclude that some 
ITL formulas 9itl e (L^ U C^^ U C^J/tl and O'j^^ G (L''' U C7^^ U C^J/tl which can 
be obtained from each other by replacing the corresponding flexible symbols from their 
respective vocabularies satisfy 

h/TL A A t(nV/3i) Ac<ooA£ = oo^(£ = cA Oitl; i = 00) (4.9) 

and 

^ITL i£ = cA e'jTL, ^ = 00) ^ (t(nV/32) ^ ^ti^"')) 

which by simply changing all superscripts v' to v implies 

^ITL il = cA 6 ITL] ^ = 00) ^ (t(nV/3^) ^ -t((^^)) (4.10) 

where is the result of changing all the superscripts v' of the flexible symbols in (32 to v. 
By (I12D and (gJl) we obtain 

hjTL t ^(/\ H^) A /\ aVA^ A t(nV/3i) Ac<ooA£ = oo^(^ = cA Oitl; e = 00) (4.11) 

The formula Ojtl is the t-translation of some PITL formula written in U C^,. U C^^ 
which, in its turn, has the form 9'^ where is a formula written in L U C^^ U C<^. (Then 
6'jXL is t{6'^ ).) Hence we have 

n 

^PITL-, (A ^ A ^ ^'^'^i Ac<ooA£ = oo^(^ = cA0^;£ = oo). 

Since € PITLi^v^^^^d^^^jp^^ C PITL^, , i = 3,...,n, and /3i € P/TLli'uc^j.ucJ^j. — 

PITLj, , the above formula can be simplified to 

■'^<fc+i 



^Plj'l- (A ^17) Ac<cx3A^ = oo^(£ = cAi 



^<fc+i 
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Since {p{f'^) ^ A i = c;i = oo) G A^, c < oo,£ = oo £ too. This implies that 
[i = c AO^-J = oo) e CnL/^^^^(Afc U E^). Similarly, (|i30l) implies than 

^p/rv,^,^,^p^ = c A = oo) ^ (QV/?^ ^ -9.-), 
and, since /?2 is a PITL theorem written in the vocabulary JJ^ U C<^, U C^^, 

^^L^uc^.uc^^, (^ = cA0'^;^ = oo)^((^^^±), (4.12) 

Now by an application of the rule P< to (|4.12p . where the flexible symbols have no other 
superscript except v as required by our restricted way of applying this P/TL-specific rule, 
we obtain 



which implies 



^'<fc+i 



'^PiTL-, e = cAe''Ai<oo^ piip") = 



by Pi and, flnally, 

\-pjj,^-_ {£ = cAO" Ai <oo;e = 00) ^ (pif") =OAi = c;i = oo) 



T ' 



by an application of the ITL proof rule Mono. Since c < 00, {£ = c A9^;l = 00) G 
CnL'^^^_^ (Afe U Hp-), this implies {p{^^) = A i = c;£ = 00) € CnL/^^^^(Afc U Hp-). Hence 
Afc U Hp- is just as inconsistent as A^ U H, because the reason for all the formulas with 
flexible symbols superscripted by v' = (z/, c, ip) to be in the finite subset H of A^^^ is 
{pi^"^) 7^ A £ = c;i = 00) € Afc. We can continue by showing that taking away the 
formulas of the form (|4.6|) for some other superscript u" £ S^+i \ S<k leads to a subset 
(Hp-)p7 of Hp- such that A^ U (Hp-)p7 is still inconsistent, etc., until there are no more 
symbols with superscripts from Sk+i \ S<k in the remaining subset of H, which then will be 
a subset of A^. This is the sought contradiction, because we assume that A^ is consistent. □ 

For an arbitrary A; < w, if A'f^^^ is consistent, then Afc_|_i is defined as some maximal 
consistent set which contains A^^^^ and has witnesses in C^_|_]^ U C^_^_i- Its existence follows 



from Theorem 14.51 again. Then Lemma 14.111 implies that all the sets in the sequence (|4.5p 
are consistent. Furthermore, obviously A is a maximal consistent set in L/) with respect to 
\~PjTi- and has witnesses in C"^ U C^. The construction of A is complete. 



4.7. The PITL model M. Since A is a maximal consistent set of PITL formulas written 
in Ij£) with witnesses in U C^, t(A) is maximal consistent set of ITL formulas written 
in {'Lj:))jtl with witnesses in U too. We use this to construct the model M at two 
steps, the first being the construction of a canonical ITL model Mitl which satisfies t(A) 
and the second being the construction of M itself. This way we avoid the repetition of the 
non-P/Tiy-specific steps in the construction of M which are as in |WX04j . 
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4.7.1. The ITL counterpart of M. Let 

Ci = C2 iff Ci = C2 G A 

for constants ci,C2 G C"^ and ci,C2 G C^. Clearly, = is an equivalence relation on the 
constants from U C^. Let [c] denote the =-equivalence class which contains c for each 
c G C"^ U CP. Let 

T = {[c] : c G C'^}, D = T, and C/ = {[c] : c G C"^}. 

Let 

[c'] < [c"] iff c' < c" G A 
for c', c" G C''. Clearly, < is a linear ordering on T. Let Coo be a witness in for the 

formula 3x{x = oo) in A. Then clearly (T, <, [cqo]) is a time domain. 
Given [[c'], [c"]] G I(T'), we denote the set of formulas written in Ljj 

{if : ((£ = c'; V9) A £ = c"; T) V (c" = oo A (£ = c'; (^)) G A} 

by A[[c'],[c"]]- To understand the definition of A[[c/] jc"]], recall our choice to start from a 
set r such that £ = oo G T and, consequently, = oo G A. Let cq G C"^ be a witness for 
= 0) in A and (Jq = [[cq], [coo]] for the rest of the section. Then obviously Ag-Q = A 

and 

^ e ^[[c'],[c"l] iff = c'; f^) G A[[co],[c"]] (4.13) 

for all ip G Li). 

We define the mapping Iitl of (Li:))/^^ by the clauses: 

I itl{x) ■, I iThid) G A for individual variables x and constants d where A = D ioY x and 
d of the duration sort and A = U otherwise, and 

Iitl{x) = {ceC'^UCP ■.c = xG t(A)}, IiTiid) = {c £ U : c = d e t(A)}. 

IitlU) : ^1 X ... X A^f rigid function symbols / where Ai,. . . , are 

either D or U, depending on the sort of the respective arguments of / and the sort of its 
value, and 

//tl(/)([ci], . . . , [c^f]) = {ceC'uCP:c = /(ci, . . . , c#f) G t(A)}. 

Iitl{R) : ^1 X ... X {0, 1} for rigid relation symbols R where ^i, . . . , A^n are 

as for function symbols, and 

Iitl{R){[ciI...Ac#r]) = 1 iffi?(ci,...,c„) Gt(A). 

IiTL{d) ■ i(T) ^ A, IitlU) ■ i{T) x Ai x . . . x A#f ^ A#f+i and 
Iitl{R) : AiX . . . X A^R {0, 1} for flexible d, f and R, respectively, where the As are as 
for rigid symbols. 

IiTL{d){a) = {ceC'^UCP :c = de t(A^)}. 

Similarly, 

IlTLif){cr, [ci], . . . , [c#/]) = {ceC^UCP:c = f{ci, . . .,c#f) G t(A.)}. 
Finally, Iitl{R){(7, [ci], . . . , [c^r]) = 1 iff R{ci, c^r) G t(A^). 
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A lengthy but otherwise straighforward argument, which is standard for canonical models, 
shows that the above definitions are correct, {D, Iitl{+)-,Iitl{^)-, Iitl[oo)) is a duration do- 
main, ([/, //tl(+)> -f/TL(0), IitlO-)) is a probability domain and Iitl[^) is a measure function 
from i(r) to D, 

F = {{T, <, //tl(oo)), {D, Iitl{+), Iitl{0),Iitl{<x>)), {U, Iitl{+), Iitl{0), IiTL{l))J{t)) 

is a two-sorted frame for ITL with infinite intervals and I is an ITL interpretation of {1-id)itl 
into F, which means that Mitl = {F,Iitl) is a two-sorted ITL model for (Ld)itl- The 
standard truth lemma holds for Mjtl, which is a canonical model: 

Lemma 4.12 (Truth Lemma for Mjtl)- Let a G i(T). Then 

(IiTLUt) = {ceC''uCP :t = ce t(A,)} and Mjtl, a ^ if iff if e t(A,) 

for every term t and every formula ip written in the vocabulary (Ld)jtl- 

4.7.2. The model M. Our next step is to define the PITL model M = {F,W,I,P) itself. 
The vocabulary of M is LUC^UC^ and its frame is F. Let 11 denote the set of the functions 
TT : V ^ DUU where y is a finite set of individual variables in L and 7r(x) is in the domain 
which corresponds to the sort of x for each x € V. We define W as the set 5 x 11. Given 
G 5, we define the interpretation Ii, by the equalities 

Iu{s) = Ijtl{s) 

for rigid s G L U C"^ U C^, including the individual variables, 

= m and h{d) = IjTLid") 

for fiexible constants d G L \ {i} and 

I^{s){a,ai, . . . ,a#s) = IjTL{s''){(r,ai, . . . ,a#s) 

for other fiexible s G L. Now W consists of all the variants of the I^, for all v (z S. 
Given w = {v, vr) such that domvr = {xi, . . . , we put 

jw — (J \7r(a:i),...,7r(x„) 

Some auxiliary notation is needed for the definition of P^. 

Let if he a formula written in L U C'^ U CP, FViif) = ^, u e S and [[c'], [c"]] G I(T). 
Then we denote the set 

WgS: ip'^' G A[[,,],[,^]], (□V(x'^ ^ X'^') = [c"];T) G A[[,,],[,^]] for all x in LUC^UC^} 

by 5'^,;/,[[c'],[c"]]- We use 5'^,;/,[[c'],[c"]] to define a syntactical conterpart ((.)) to [.] in our model 
under construction. If -0 is a formula written in L U C"^ U C^, FV{'ip) = {xi, . . . ,Xn} and 
Cj G l'^'^'^\xi), i = 1, . . . ,n, then we put 

{{f)){u,7T),llc'],lc"]] = G W : z^' G 5'[ci/^.i,...,c„/x„]<^,i.,[[c'],[c"]],7r' G 11}. (4.14) 

Clearly, the set on the right of = in (j4.14p does not depend on the precise choice of q G 
ji'^^'^) (^Xi), i = 1, . . . ,n. The truth lemma about M which is proved below entails that 

(i^))w,[[c'],[c"]] = 1'^}m,'W,1[c'],[c"]]- (4-15) 

Note that 

[[c'],[c"]] = (((^ = c'; ^)))w,llco],[c"]] (4.16) 
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follows from (14.131) and therefore the rest of the construction steps involve mostly intervals 
cr G I(T) such that mino" = [cq]. Given w G W, w = (i^, vr), a formula if written in 
L U C"^ U whose free variables are xi, . . . ,Xn, € 5, q S I^{xi), i = 1, . . . ,n, and 
[c"] G T we define on the subsets of W of the form ()4.14p by the equality 

-P"'([c"], {{f))w,llco],lc"]]) = {C G : p([ci/xi, . . . , Cn/Xnjf") = C G A[[co],[c"]]}. 

For this definition to be correct, we need to have 

p([ci/xi, . . . , Cn/Xul^p") = C G A[[cq]Jc"]] iff Pi[ci/Xl, Cn/XnW) = C G Ajjc^jjc"]] 

for formulas if and if) such that 

{{v))w\[co\,[c"]] = ((V'))«),[[co],[c"]], (4.17) 

and Ci G I^{xi), i = 1, . . . , n, where {xi, . . . , x„} = FV{ip) U Fy(V'). To prove it, assume 
that 

p{[ci/xi,...,Cn/Xn\v'') < p{[ci / Xi, . . . , Cn / XnW) G A[[co],[c"]] 

for the sake of contradiction. Then 

p{[ci/xi, Cn/Xn]{V A ^V?'")) / G A[[co],[c"]] 

by PITL3 from Section [3.2[ If c" < oo G A, then this implies that 

{{l^,c",tpA -93), vr') G ((V'))«;,[[co],[c"]] \ ((V5))«;,[[co],[c"]] 

where doniTr' = FV{ip)UFV{'ip) and vr'(xi) = I'^{xi). i = 1, . . . ,n, which contradicts ()4.17p . 
If c" = oo G A, then the appropriate instances of Poo and PITL2 from Section 13.21 imply 
that 

p{[ci/xi, Cn/Xn]{V A -^Lp"")) = 1 G /^y^coUc"]] 

and, consequently, 

[Ci/Xi, . . .,Cn/Xn]{V A ^(/?'') G l\[[co]\c"]]- 

This implies that w itself is in ((V'))w,[[co],[c"]] \ ^^l}w ,[[co\\c"]\i which contradicts (j4.17p too. 

The presence of all the instances of Py find P+ written in the vocabularies JJ^ U 
C"^ U CP, G 5, in A[[j,jj] [^z/]] implies that \X.P^{[d'],X) is a finitely additive probability 
function on the boolean algebra 

({((^))t«,[[co],[c"]] : V' € L},n,U,0, W^jc"]) 
for every w G W and every [c"\ G T. Note that this algebra contains the sets ((V'))u;,[[c'],[c"]] 
for ah c' G such that c' < c" G A because of (liT6]l . Clearly, M = (F,W,I,P) is a 
PITL model for the vocabulary L U C"^ U C^. 

Obviously if t/; = (i^, vr) for some vr G 11 then {((z^, c, (/?), vr') : vr' G 11} Cg [^j for all 
V G S'<fc, c £ and all 99 written in L<fc such that {p{^'^) 7^0A^ = c;T) gA and all 
k < uj, because, according to the construction of A, in this case 

(□V(x'^ ^ X^'''""'^^) A ^ = c; T) G A 

for all formulas x written in L U C"^ U C, and in particular for x of the forms d = x, 
/(xi, . . . , = x#/+i, i?(xi, . . . , and p(V') = 2; where d, / and i? are flexible 

constants, function and relation symbols from L, and ip is written in LUC^UC^ respectively. 
Furthermore, if I^' is a variant of I" and P*" = P*' for some w,v € W, then = 
for all [c] G r. 

Here follows the truth lemma for M: 
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Lemma 4.13 (Truth Lemma for M). Let a G i{T), w € W and w = (z^, vr). If t is a term 
written in L^, Fy{t) = {xi, . . . , Xn} and ci, . . . ,Cn € C"^ U are suc/i i/iai Cj G I^{xi), 
i = 1, . . . ,n, then 

w^{t) = {c G C'^UCP : [ci/xi,... ,Cn/x„]t^ = c G A^}. 

If if is a formula written in Lid, FV{ip) = {xi, . . . , Xn} and ci,...,c„ satisfy the same 
conditions as above, then 

M,w,a \= ip iff [ci/xi, . . .,Cn/xn]^'' G Act. 

We use the constants ci , . . . , c„ in the formulation of the lemma, because we need it to 
apply to G W with variants to some interpretation of the form I^,, and not just to the 
interpretations 1^, v ^ S, themselves. 

Proof. The proof is by simultaneous induction on the length of terms and formulas. The 
clause of the lemma about formulas implies M.lSh . 

The induction base and the steps for formulas and for terms built using constants, 
variables and function symbols are as in (non-probabilistic) ITL and we omit them. We only 
do the case of probabilistic terms p(V')- According to our definition, FV{p{'tp)) = FV{'ip). 
Let xi, . . . , Xn and ci, . . . , be as in the lemma and cr — [[c'], [c"]]. Since 

W[[c'],[c"]]{pW) = P'"{[c"],bP}M,w,[[c'],[c"]]) 

= 'f^[[co],[c"]](p((^ = c';V'))) 

and 

[ci/xi,. . . ,Cn/xn]p{i^'') = c G ^[[c'],[c"]] iff [ci/xi, . . . ,c„/x„]p((£ = c';^^'')) = c G \co]y]] 

because of the instances {i = c';p{ip) = d) ^ p{{£ = c'; ip)) = d of R, which are in A[cp] [^/z] 
for all d G C^, it is sufficient to prove 

W[[co],[c"]]{p{{^ = C;ip))) = {ceC^UC^ : p{{£ = C; [Ci/xi, . . .,Cn/XnW)) = C G A[[co],[c"]]}. 

(4.18) 

By the induction hypothesis, the lemma holds for ^ and therefore 

(('0))«;,[[c'l,[c"l] = [V'lM,to,[[c'],[c"]]) 

which implies 

(((£ = c'; V')))«,,[[co],[c"]] = W = c';V')1m,«,,[[co],[c"]] 
by ()4.16p and the definition of |-]a/,«;,[.,[c"]]- Now (|4.18p follows from the definition of P'^ . □ 

We conclude the presentation of M with the observation that 5* and the domains in 
F are countably-infinite and therefore every interpretation in W has only countably many 
variants, which entails that W is a countably-infinite set. 

4.8. The completeness theorem. Now it is easy to prove the strong completeness theo- 
rem for our proof system for PITL. 

Theorem 4.14. Let h be a PITL vocabulary and T be a set of formulas written in L 
which is consistent with the proof system from Section 0. Then there exists a model Mr = 
(Fr, Wr, /p, -Pp) for L and an wq G Wr and a time interval uo in it such that 

Mr, Wo, crQ\= if for all ip eT. (4.19) 
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Proof. If r is consistent with the formula ^ = 00, then we can take the model M = 
{F, W, /, P) constructed in Section [4.71 for F U = 00}. Otherwise T is consistent with the 
formula £ = c A c < 00 for some rigid constant c L and we can take M from Section 14.71 
for the set (|4.ip . In both cases Mr can be chosen to be {F,W, Xw.{I^\-l,), P) where /'"II 
stands for the restriction of ly^ to the initially given vocabulary L, and wq can be chosen to 
be (0,0) where () is the only element of Sq and denotes the empty function ^ C"^ U C^. 
In the first case the interval o"o can be chosen to be the entire time domain T of F. In the 
second case ao can be chosen to be [minT, /'""(c)] where c is the constant introduced above. 
The equivalence now follows from the definition of A and Lemma 14.131 □ 

5. Axioms for global probability in PITL models 

We call the models for PITL introduced in Definition 12.41 general, because the probabil- 
ity functions XX.P^ (t, X) in them can be arbitrary, whereas it is natural to require these 
functions to satisfy certain constraints. Applications typically lead to models in which 
all the probability functions originate from a global probability function on the entire W 
such as the automata-based models of PDC. Consider models M = {F, W, /, P) with 
frames F = {{T, <, cx3), {D, +, 0, 00), {U, +, 0, 1), m) whose time domain has a least element 
To = minT and a distinguished wq &W such that W^q^^-o = W. Then XX.P^° {tq, X) can 
be regarded as the global probability function and, given an arbitrary w £ W and t T, 
the probability function \X.P^{t,X) should represent conditional probability on sets of 
interpretations, the condition being r-equivalence with w. Hence we should have 

P"'o(ro,W^,,).P"'(r,yl) =P"'»(ro,W^,,n^) (5.1) 

with respect to an appropriately defined operation of multiplication . on the probability 
domain for all A C W such that the above equality is defined. This equality is usually 
insufficient to determine XX.P'^{t, X), because, e.g., it is possible that P'^°{t,Ww,t) = 0. 
A more general constraint of this form can be formulated as follows. Let M, w and A C W 
be as above, t,t' £ T and t < t' . Then 

P'"»{t,A)= J P"'(r',A)d(AXP"'o(r,X)). (5.2) 

The integral above is not guaranteed to exist for an arbitrary probability domain, because 
its definition involves least upper bounds and greatest lower bounds of sets of approximating 
sums, which may be unavailable if there are Dedekind gaps, which is the case if, e.g., the 
probability domain is based the non-negative rational numbers. Dedekind-completeness is 
not a first-order property and therefore our proof system for PITL cannot be extended to 
one that is complete with respect to Dedekind-complete domains by finitary means. In this 
section we propose axioms which enforce the best possible approximation of ()5.2I) permitted 
by the probability domain. 

In the rest of the section we consider PITL models (F, W,/, P) with the probability 
domains of their frames F extended to have multiplication. Given 

F = {{T,<,oo), {D,+,0,oo), {U,+, .,0,1) ,m), we assume that the new operation satisfies, 
e.g., the following axioms: 
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(f/8) {x.y).z = x.{y.z) 

(f/9) x.y = y.x 

(f/10) {x + y).z = x.z + y.z 

[Ull) x.l = x 

(f/12) x.y = j;.2: =^ X = y = z 

(f/13) X = V 3y(x.y = z) 

Together with (C/l)-(C/7), these axioms are sufficient to extend a probability domain to a 
field by introducing negative elements and division in the customary way. 

We adopt a definition for the integral in (j5.2p which is based on Darboux-Lebesgue sums 
as known from the theory of integration of real- valued functions. Let the measurable sets 
Bq, . . . , Bn form a partition of W^,,^,- and let P^{t' , A) £ [Ci,Vi] ^ ^ i = 0, ■ ■ ■ ,n. 

Then the sums 

n n 

^^P'"' {r, B,) and ^ r/.P""' (r, Bi) (5.3) 

are a lower and an upper approximation for the integral from (|5.2p . respectively. The integral 
is defined if both the least upper bound of the lower approximations and the greatest lower 
bound of the upper approximations of the above forms taken for all partitions Bq, . . . , Bn of 
^w,T into measurable subsets and all appropriate boundary probabilities ^j, iji, i = 0, . . . ,n, 
exist and are equal. 

The sets A for which P'^'^{t,A) and P'^{t',A), w G W^^^^ need to be defined have the 
forms y}M,wo,lT",T] and Mm,w,[t",t'] = Mm,wo,It",t] n W^„,^/, respectively, where is a 
formula in the vocabulary of M and r" < r. Hence ()5.2p can be written as 

P'"'ir,MM,n.o,[r",r]) = J P(t', Mm,.,[.",.'] )d(AXP"'° (t, X)) . (5.4) 

Our axioms for (15. 4p exploit the observation that the sets which are available for the con- 
struction of partitions Bq, . . . , Bn have such forms too. Here they are: 

(P) i<y/\ p{{i = y A 6* A p{ip) > x; T)) = ^ p{{e A £ = y;T) A ip) < x.p{{e Ai = y;T)) 
(P.) i<yA p{{e = yAe A p{(f) < x;T)) = ^ pile A £ = y;T) A (f) > x.p{{e A £ = y;T)) 

Let us show that these axioms enforce the possible approximations of ()5.4p . Assume that P 
and P are part of our proof system. Let ip he a PITL formula, y be an individual variable 
of the duration sort and xq, . . . ,Xn be n -|- 1 individual variables of the probability sort. Let 

6*0 ^ pip) < XQ, 9i ^ Xi-i < p{ip) A p{lp) <Xi, i = 1, . . . , n. 

Now consider the instances 

£<yA p{{t = y A 0i A p{<p>) > xf, T)) = ^ p{{9, A £ 

l<yAp{{l = yA9iAp{^)<Xi^i-T))={)^p{{9,Al 

of P and P_ for i = 1, . . . ,n and the instance 

£<yA p{{t = y A 00 A p{p) > xq; T)) = ^ ^((^0 A £ 

of P. Since 

\-piTL 9i A p{ip) > Xi^ ± and \-piTL 9i A p{ip) < _L, 

we have 



= y;T)Aip) < x,.p{{9, A t = y;T)) 
= y;T)Aip) >Xi^i.p{{eiA£ = y;T)) 

= y;T) Aip) <xo.p{{eoAe = y;T)) 
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Hp/TL p{{^ = y/\OiA p{ip) > xf, T)) = 0, p{{i = y A 0, A p{ip) < T)) = 
by PITLl and Pi. Hence the considered instances of P and P_ entail 

Hp/TL i<y^ Xi-i.p{{9i M = y;T))< p{{e^ A£ = y;T)Aip) (5.5) 
for i = 1, . . . , n and 

^PITL i<y^ p{{0i A ^ = y; T) A yp) < Xi.p{{ei Ai = y; T)) (5.6) 
for i = 0, . . . , n. Let x denote the rigid formula 

n 

y<ooAxQ = OAXn = lA^ Xi-i < Xi. 



1=1 



Then a purely ITL deduction shows that 



i~P/TL X 

and 



V<=^\lmAl = y-J)A^) 



i=0 



^PITL X ^ -(((^i A £ = y; T) A (/?) A {{Oj Al = y;T)A 99)) 
for i 7^ J, z,j = 0, ...,n. Hence, using the axioms for arithmetics of probabilities and 
PITL4:, we can derive 

n 

^PITL X =^ P{v) = ^Pi.{Oi Al = y;T) Aif). 
i=0 

Now (|5.5p and (|5.6p imply 

n n 

^piTLx^Y.xi.i-p{{^i/\i = y;V) <p{v) ^piv) <J2'^i-p((^i^^ = y'^^y (5-^) 

j=l j=0 

Recall the model M and its distinguished wq € W and time point tq. Let t,t' T and 
r < r'. Let I'^°{y) = m([ro,r']). Then the satisfaction of (|5.7|) at -wq, [to,t] in M means 
that if ^ = |v:?]m,u)o,t" ~ l^ilM,wo,T, i = 0, . . . ,n, then P^°{t, A) is bounded by the 

sums ()5.3p where ^0 = 0, rjQ = /'""(xq) and = I""'(j;j_i) and r/j = I'^°{xi) for i = 1, . . . , n. 
Assume that z is a variable of the probability sort and M satisfies the rigid formula 

n 

f\Xi < Xi-l + z 
i=l 

n 

at Wq as well. Then, since ^ P^°{T,Bi) = 1, the lower and upper approximations (j5.3p 

i=o _ 
differ by no more than I'^'^(z). Now it is clear that the validity of P and P in M entails 
that (j5.4p holds approximately with precision which is smaller than any probability 6 £ U 
such that 6 + . y + 6^ > 1 for some n < co. Hence, if {U, +, .,0, 1) has no "infinitely small" 

n times 

elements, then the integral from ()5.4p is defined and (15. 4|) holds. If there are such elements, 
then the difference between the least upper bound and the greatest lower bound of the sums 
()5.3p , respectively, is "infinitely small" . 
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Obviously the condition W«,,)^ro = W is relevant just to the scope of the (approximate) 
validity of ()5.2p . If all instances of P and P hold everywhere in a PITL model, then so do 
the approximations of (j5.2p . 

6. Probabilistic real-time DC with infinite intervals 

In this section we introduce an enhanced system of real-time probabilistic DC which 
enables the handling of infinite intervals and has a syntactically simpler and more expressive 
probability operator instead of the original /i(.)(.). The new system is obtained as the 
extension of PITL by state expressions and duration terms. It properly subsumes the 
original probabilistic real-time DC from |DZ99| in a straightforward way. The relative 
completeness result about probabilistic DC in this paper is about this enhanced system 
and we use the acronym PDC for it in the rest of the paper. 

6.1. Language. PDC vocabularies are just PITL vocabularies extended by state vari- 
ables, which are used to construct state expressions and duration terms just like in (non- 
probabilistic) DC (see Section [1.21 of the Preliminaries). 

6.2. Models and satisfaction. PDC models are PITL models which are based on the 
real-time and -probability frame for two-sorted ITL with infinite intervals 

Fr, = ((R, <, oo), (R+, +, 0, oo), (R+, +, .,0, 1), Act. max a — miner), 

the only difference being that the interpretations I^, w W are supposed to map the 
state variables from the respective vocabularies to {0, l}-valued functions of time with the 
finite variability property. We assume that multiplication is available for probabilities. The 
definition of the values of duration terms and the definition of the satisfaction relation are 
just like in DC and PITL, respectively. 

6.3. Describing probabilistic real-time automata and expressing /i(.)(.). The prob- 
abilistic automata from the semantics of PDC originally introduced in pZ99j can be de- 
scribed in the system of PDC proposed in this paper. The original probability operator 
^(.)(.) can be expressed using p{.) as follows. 

Let A be an automaton of the form (|1.2p from Definition [L3l The DC vocabulary which 
corresponds to A consists the states of A as state variables and the PITL vocabulary for A 
introduced the example from Section 12.21 which includes the transitions of A as temporal 
propositional letters (0-ary flexible predicate symbols), the rigid constants qa and the rigid 

T 

unary function symbols Pa to denote Ar. J pa{t)dt for each transition a, respectively. Let 



M = {Fn, W, /, P) be a PDC model for this vocabulary in the sense of Section [6.21 with W 
being the set of all the behaviours of A and XX.P^{t,X) being the conditional probability 
for a behaviour of A to be described by an interpretation in the set X C W^^,-, given that 
w € W describes this behaviour within the interval [0,r], like in the example from Section 
12. 2[ Then M validates the axioms 

□ -(ha-]; [a^l A-a; [a+D, -([a"] A-a; [a+l;T) 

and 

□ (-([a-]; a) A -(a A - [a-]) A -(a; M)) 
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for all transitions a at all intervals a such that miner = 0. These axioms force the interpre- 
tations of the temporal propositional letters a to correspond to the respective transitions 
of A, which are identified by observing their source states a" and destination states a"*", 
in the way proposed in the example from Section 12.21 Having this correspondence, the 
probabilistic behaviour of A can be described by formulas such as (j2.4p . If used together 
with the axioms P and P from Section [5l such formulas are sufficient to express the con- 
ditions on the probability functions XX.P'^ {t, X) for w G W which are encoded by the 
components Pa and Qa of the automaton A. Furthermore, the value of fj,{ip){t) is equal to 
W[Qfi]{p{{ip Ai = t; T))) for every DC formula if and every w E W. 

Note that the probabilities expressed by terms of the form p{<f) are determined by using 
the truth values of (p at infinite intervals. That is why the probability for ip to hold at a 
finite interval ending at some future time point is expressed by the term p{{ip; T)), in which 
T accounts of the infinite interval following that end point. 

In our PDC axioms about probabilistic timed automata behaviour we refer to the 
probability Pa{T) for transition a to be over by time r instead of the probability density pa{t) 
for a to finish at time t, which was used in the original paper [DZ99]. This is not a limitation, 

T 

because, at least in the case of piece-wise continuous pa, the relation Pair) = J pa{t)dt 



between Pa and pa can be axiomatised much like (j5.2p . On the contrary, there are practically 
interesting cases such as that of transitions with discrete or finite sets of possible durations 
in which pa cannot be defined whereas Pa exists. 

7. A PROOF SYSTEM FOR PDC 

The proof system for PDC that we propose consists of the DC axioms DC1-DC6, Tl 
and T2 from Section 11.2.41 We demonstrate the relative completeness of this proof system 
in Section [8] below. Since completeness relative to validity in the class of the PITL models 
which are based on Fr, means that all formulas which are valid at such PITL models are 
admitted as axioms, the PITL axioms from Section [3] are no more relevant than any of these 
valid formulas from the formal point of view. 

8. Relative completeness of the proof system for PDC 

The proof of the completeness of the axioms DC1-DC6, Tl and T2 for PDC relative 
to validity in the class of the FR-based models of PITL follows closely the pattern of the 
original relative completeness proof for (non-probabilistic) DC from [HZ92j . The variant of 
this proof about the system of DC based on the modalities of NL from |RZ97] is very close 
to our setting. Therefore we include the proof details mostly for the sake of completeness. 
Below PITL^ stands for the set of the PITL formulas written in the vocabulary L which 
are valid in the class of all -FR-based PITL models. 

Let if he a PDC formula written in some vocabulary L and let S be the set of all 
the state expressions which can be written using only the state variables which occur in ip. 
Given a state expression 5 G S, we denote the set 

{S' € S : 5' is propositionally equivalent to S} 

by [S]. Since (p contains a finite number of state variables, there are finitely many different 
equivalence classes [S] for S S S. Let L' be the ITL vocabulary which consists of the 
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symbols from L, except the state variables, and the fresh flexible constants £[5], S £ S. 
Since there are finitely many classes [S], these flexible constants are finitely many too. If 
all the state expressions which occur in some PDC formula ip are from S, we denote the 
result of substituting every duration term J S with the respective flexible constant £[5] in 
■0 by Note that tp' is a PITL formula with no PZ) C-specific constructs left in it. 

Now consider the set H of all the instances of DC'1-DC6, Tl and T2 for state expressions 
from S. Unless no state variables occur in (p, H is infinite. However, since there are finitely 
many equivalence classes [S], the set 

H' = {a : a G H} 

is finite. We define the sequence of formulas k < uj as follows: 

^Po ^nf\U', ^Pk+i ^ n/yn' Ap(V'fc) = 1 for all k<uj. 

The formula ^ipt states that all the instances of the DC axioms hold with probability 1 at 
interpretations which are accessible through probability terms of height at most k. 

Now assume that ip is consistent with our proof system for PDC . Let n = h{ip) where 
h{<pp) = for if with no occurrence of probability terms, and h{(p) = 1 + max{/i('0) : 
p{tlj) occurs in (p} for 99 with probability terms. Then the formula 

— £ = 00 A (v?' V (99'; i = 00)) A 

is consistent with PITL^. This entails that there is a PITL model M = (Fr, W, /, P), 
wq gW and an interval do G I(R-) such that 

M,wo,ao \= 

Clearly uo € I*"-^ (R). Following the example from |HZ92j . we use M in order to build a 
PDC model for L which satisfies (p. 

We define the ascending sequence of subsets Nq ^ Ni C . . . C N„ of W by the 
equalities 

No = {wq} and = [J {^^ G Wtt,,mmfTo : , v, do \= ipn-k] for A: = 1, . . . , n. 

The set of the behaviour descriptions W for the PDC model we SjIg constructing is N.^. 
Let w G and r G (minao, oc). Let Q be a state variable occurring in 99. Then 

£ = OV(rQl;T) V(hQl;T),£ = OV^ = cx)V(T;rQl) V(T;hQl) GH, 

because these formulas are instances of Tl and T2, respectively. This entails that 

M,«;,[r,r + 1] ^(£[Q] =£A^/0;T)V(£[^Q] =£A£/0;T) 

and 

M, w, [min do, r] [= (T; = ^ a ^ / 0) V (T; ^[^q] = f A ^ / 0), 
which implies that there are some ^, r/ € R such that ^ < t < rj and 

M, w, [r, 7?] ^ £[Q] = £ V ii^Q] = £ and M, /, [C, r] ^ £[q] = £ V ^[.qj = £. 

Let us fix some ^ and rj with this property and denote the open neighbourhood 77) of r 
by OQ,u,,r- Similarly, 



M,ti;,[minao,min(To + l] h {£[q] = £ A £ 0;T) \/ {£[^q] = £ A £ ^ 0;T) 
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and hence there is an r/ > min (Tq such that 

M, w, [min (JO, 7?] h ^[Q] = ^ V = 1 

We fix such an r] and write OQ^w,mmao for the semi-open neighbourhood [min ctq, ry) of min o"o. 
Obviously 

U Oq,«),t = [min 0-0,00). 

t£ [min (To, 00) 

Moreover, Oq^w = {Oq^w,t '■ t € [minao, 00)} is a (relatively) open covering of [minao, 00). 
Here follows the key observation in this proof: the compactness of the intervals of the 
form [min o-q + k, min ao + k + 1] where k = 0, 1, 2, . . . implies that for every such k there 
is a finite sub-covering OQ^w,k C Oq^^ of [minao + k,mmao + A; + 1]. Let OQ^w,k = 
{OQ,^,rQ,„,fc,i,---,OQ,«,,TQ,„,fc,„^j^}- We win use the time points Tq^^^k^i, i = l,...,n„,fc, 
k = 0, 1, . . ., where Q is a state variable occurring in (p to define an interpretation (I')"" 
of L in our PDC model under construction which corresponds to I"' for w € W. Let us 
denote the set of these time points by Cq^w Since mino-Q G Cq^w and Cq^w n a is finite for 
every bounded interval a, the set Cq^^ H [minao, r] contains a greatest time point for every 
r € [mino-Q, 00). (/')'" is defined by the following clauses 

(/')"'(s) = I(s) for all symbols s G L which are not state variables; 

(/')"'((5)(r) = for all state variables Q € L which do not occur in (/? and all r G R; 

{I')^{Q){t) = 1 for state variables P which occur in ip and r such that 

M,w, [r', sup Og^^y] \= i[q] = i, where r' = max(CQ,^n [min ao, r]); 
{I')^ {Q){t) = for state variables Q which occur in p and r such that 

M,w,[t' , sup Oq^jif^r'] \= ^hQ] = ^) where r' is as above and for 

T < mino-Q as well. 

A straightforward argument based on the presence of the appropriate instances of DC1-DC6 
in H implies that this definition of (/')"" is correct and /' satisfies the equality 

{ixu's) = i:^{i[s]) 

for all state expressions 5 G S and all intervals a £ I(-R) such that mino-Q < mino-. 
The functions (P')^ , w G W, are defined using the respective P^ by the equality 

{PT {r, A nW) = P'^iT, A) (8.1) 

for w G Ur=o^ ^'^d r > min a. Since M, wq, o-q \= tpn, the construction of W implies that 
P"'(r, (W')^,r) = 1 for aU such w. Hence if P(r, Ai) ^ P{t, A2), then P(t, Ai n W;„^^) ^ 
P{t,A2 n W^ ,^) as well, which implies that Ai n (W')«,,r / ^2 n (W')«,,r- That is why 
the equality (j8.ip defines the function (P')^ correctly. We allow {P')^ to be arbitrary for 
w G W \ Ur=o ' because the truth values of formulas of probability height up to n at 
tfQjO-Q do not depend on these functions. 

Let M' = (i^R,, W', I', P'). An induction on k implies that \i ip \s a. PDC formula 
written in L, h{'tjj) < k, w £ a £ I(R-)i mino- > mino-Q and k + i < n, then 

M',w,a ^tl;iSM,w,a^i>' and P"'(max(T, WJm,^,^) = {P'Tir, Mm',^,.). 

This, in particular, implies that 

M', Wo, ao\= if or M', wq, o-q \= {p;i = 00). 

In the latter case M',wo,a \= p for some cj G I^"'(R) such that mino- = mino-Q. 
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This concludes the proof of the relative completeness of the axioms DC1-DC6, Tl and 
T2 for PDC, because we have shown that the assumption that a given PDC formula is 
consistent with this proof system entails that the formula is satisfiable at a PDC model. 

9. PITL WITH INFINITE INTERVALS AND PNL 

The system which is closest to PITL both in its semantics and proof system is the 
probabilistic extension of neighbourhood logic PNL which was proposed in [GueOO] . The 
modalities and of NL are defined by the clauses: 

M, a \= Oiip iff M, a' \= if for some a' such that max a' = miner 
M, a \= Or(p iff M, a' \= if for some a' such that min a' = max a 

Oi and O r are called expanding modalities because they allow access outside the reference 
interval. The dual modalities of Od are defined by the clauses 

Od ^ -'^r-'OdV' 

for d G {/, r}. 

A duration calculus on the basis of NL was developed in |RZ97| . Infinite intervals are 
an alternative way to achieve the expressivity oi Or- A truth preserving translation from 
ITL with infinite intervals to NL is impossible for the trivial reason that NL does not have 
infinite intervals and there is no straightforward way to capture the ITL interpretation of 
flexible symbols at infinite intervals. Furthermore, NL duration domains known from the 
literature do not include oo, but include negative durations. However, if the only flexible 
symbols in the considered vocabularies are i and state variables, then the duration calculi 
based on NL and on ITL with infinite intervals, respectively, can be related by means of a 
translation which has the following property: 

If ip is the NL-hased DC formula which is the translation of some ITL-hased 
DC formula and FV{ip) = {xi, . . . , Xn}, then 

M',[r,r] iff M,[r, oo] (9.1) 

where the duration domain of the ITL model M is obtained from that of the NL model 
M' by removing the negative elements and adding cxd, and the meanings of the non-logical 
symbols in M and M' on the intersection of the two duration domains are the same. We 
describe such a translation in this section. 
The predicate logic equivalences 

R{ti, . . . ,tn) <^3xi . . . 3Xn ^R{X1, . . . ,Xn) /\ /\ti = Xi^ 

and 

/(tl, ...,tn)=Z<^3xi... 3Xn ^f{xi, . . . , Xn) = Z A f\ti = Xj^ , 

where xi, . . . ,Xn do not occur in ti, . . . , allow us to assume that all atomic subformulas 
of the ITL formulas to be translated are either rigid of have the form J S = x where x is 
a variable. We can also treat i as J 1. The clauses below define two auxiliary translations 
and (.)*"-'^ from ITL-hased to iVL-based DC. (.)^"' translates an ITL formula which is 
to be evaluated at a finite interval into its NL equivalent, {.y^^ translates an ITL formula 
which is to be evaluated at an infinite interval a into a corresponding NL formula which 
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defines the same condition on a when evaluated at the zero- length interval [min a, min a] . 
[.y^^ refers to (.)-^" for the translation of (.; .)-formulas. Both auxiliary translations are 
correct only under the assumption that the free variables of the given ITL formulas range 
over non-negative finite durations. Infinity is handled only where explicitly denoted by the 
symbol oo. Atomic formulas . . . ,tn) with the parameter list ti, . . . ,t„ consisting of 

individual variables and, possibly, oo translate into dedicated specialising formulas 
which define the appropriate predicates on the non-oo parameters according to the intended 
meaning of R and the positions of the occurrences of oo in fi, . . . ,tn. For instance, 
is X = y, S"^^ is _L, and 5^ ^ is T. Atomic formulas with = and function symbols are 
handled similarly, e.g. the formula S^^^.y for x + oo = y is _L, and S^^^.^ is T. 

_|_/in _^ _|_ 

(/5 = oo)^" ^ ^_ 

(jS = xf'^ ^ i'S = x 

{ip;tljf'' ^ ^x3y{Jl = x + y^OlOr{^ = x^^pfi''^Or{^ = y^'^|J^'^))) 

(3x¥?)^" ^ ([oo/x]v3)^" V 3x(x > A v?^") 

j_m/ _^ j_ 

(/(tl, . . . = tn+l)"-^ ^ 5'/i,...,t„;t„+i 

(/5 = 00)*"-^ — ^xOr]S>X 

(/5 = X)*"^ ^ Or{j S = X ^u, j S = {)) 

(3x(/7)*"^ ^ ([oo/x](/?)*"-^ V 3x(x > A 

As mentioned above, {.y^f is correct only under the assumption that the free variables of 
the given ITL formulas range over non-negative finite durations. To remove this restriction, 
given an ITL formula (p whose free variables are we define the sequence of 

formulas ifQ, . . . ^ipn by the clauses 

^ Lp and ^ (xj > A ^i-i) V [oo/xj]93j_i for z = 1, . . . , n, 

and choose the formula from (19. ip to be {(fnY^^ ■ This translation can be extended to 
one between PDC with infinite intervals and a system of probabilistic DC based on NL by 
putting 

(p(^) = x)^" ^ p(</'"-^) = X. 

lp{ip) = xY'^f ^ v?™-^ A X = 1 V ^y?*"^ A X = 0. 
A translation from NL into ITL with infinite intervals is possible too under the assumption 
that there is a time point tq such that the values of all flexible symbols except i at intervals 
starting before tq are irrelevant to the truth value of the translated formula. This restriction 
is necessary, because an ITL formula cannot express conditions on the past prior to the 
beginning of the infinite reference interval. It can be avoided if one considers a system of 
ITL with intervals which can be infinite into the past as well, which is beyond the scope of 
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this paper. If a property does not depend on the interpretation of the flexible symbols on 
the left of the beginning of the reference interval and can be expressed by an NL formula, 
then it can be expressed by an NL formula in which the only occurrences of are in 
subformulas of the form O/O^x- Given an NL formula ip which satisfies this syntactical 
restriction, one can find an ITL formula ■0 such that M, [ro,oo] \= ip is equivalent to the 
existence of a ri > tq such that M', [To,ri] \= ip. Below we give a translation which, given 
a (/9 of the form 



produces a corresponding ip. This translation produces formulas constructed using 3, 
_L, rigid formulas and formulas of the form 



with a being a modality-free formula. The translation works by reducing the number of the 
occurrences of O/O^ and O,. in formulas of the form (19. 2p . yet with a being a NL formula. 
The ITL formula tp is obtained by starting from = 0; £ = A Oc/j; T). To understand the 
correctness of the translation, one can think of a system which has all the modalities (.;.), 
and Oj., with the obvious semantics, and check that the translation rules correspond to valid 
equivalences at infinite reference intervals, provided that the free variables of the involved 
formulas have finite non- negative values. Here follow the transformation rules which define 
the translation: 



The individual variable z in the rules above is supposed to be fresh. The last rule can 
be applied only \i x ^ FV{ti), FV{t2)- This translation can be extended to one from PNL 
to PITL by mapping NL probability terms p{(p) to PITL corresponding probability terms 
p{ip) where ip is the translation of ip. 



We conclude by discussing some restrictions on the scope of the completeness results 
about PITL and PDC presented in this paper. 

Countable additivity of probability functions. According to our definition, the probability 
functions in PITL models are required to be just finitely additive, whereas classical prob- 
ability theory is about countably additive probability functions. One simple reason for 
this is the choice to have an abstract domain of probabilities which is not required to be 
Dedekind-complete and therefore the infinite sums which are relevant to countable addi- 
tivity cannot be guaranteed to exist. The difficulty in axiomatising countable additivity 
becomes even more obvious from the observation that PITL has the Ldwenheim-Skolem 
property. This means that countably-infinite consistent sets of PITL formulas can be sat- 
isfied at countably-infinite models, which, in particular, have countably-infinite domains. 
This follows immediately from the construction of the PITL model in the completeness 



if ::= ±\ R{t, . . . ,t) \ {if ^ if) \ Orif I OiOr^ \ ^x{x > A y?) 





{i = tr,i 
{i = ti;£ 
{i = ti;£ 
{i = ti;£ 



t2 A(xi ^X2);T) ^ (£ = ti;^ = t2 Axi;T) {i = tr,i = t2Ax2;T) 
t2 A Orx; T) ^ 3z{£ = ti + t2;e = z Ax;V 

t2 A OlOrX; T) ^ 3z{i = ti;e = zAx;V 

t2 A 3x{x > A x); T) ^ 3x{x < oo A (£ = ti; ^ = t2 A x; T)) 



Concluding remarks 
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argument for our proof system. Countably-infinite PITL models with countably additive 
probability functions validate formulas of the form 

yx{p{ip) = 0) =^ pi^xif) = 0. 

This follows immediately from the fact that x ranges over a countably-infinite domain. 
Hence, the above formula should be a theorem in a proof system which is complete with 
respect to models with countably additive probability functions, as long as the Lowenheim- 
Skolem property holds. However, this formula is not valid in arbitrary models. 

Completeness of PDC relative to (non-probabilistic) real-time ITL. Our demonstration that 
some well-known axioms of (non-probabilistic) DC form a proof system which is complete 
relative to probabilistic ITL with infinite intervals was hardly a technical challenge, given 
the similar proofs from |HZ92l IRZ97] . It would have been interesting to develop a proof 
system for PDC which is complete relative to real-time ITL without probabilities. The 
proof of Lemma 14.111 which is the key step in our model construction for the completeness 
argument for PITL, explains why this is impossible. The model construction involves an 
expression of r-equivalence by the formulas 

(□V(x"^x"') A^ = c;^ = oo) (9.3) 

for T being the equivalence class [c] of the rigid constant c. The relation of r-equivalence 
is needed to hold between any given w G W from a PDC model M = (Fr, W, /, P) and 
the V G W which are needed to populate IvjJa/.uj.o- for 93 such that M,w is supposed to 
satisfy p{(p) 7^ at intervals a whose end point is r. The proof of Lemma |4. 1 1 1 relies on the 
possibility to use the formulas (j9.3p and an assumption which essentially amounts to the 
derivability of ^(p from some appropriately chosen formulas in order to derive the existence 
of a formula such that the same formulas imply (9 A I = c;i = 00) =^ ^ip, which in its 
turn enables an application of the PITL proof rule P< to derive 9 =^ piv^) = and reach 
the aimed contradiction. The existence of the formula 9 amounts to the interval-related 
intepolation property of ITL with infinite intervals (see Section r4.ip . Unfortunately, DC has 
neither this interpolation property, nor the related Craig interpolation property |Gue04b] . 
The counterexample to Craig interpolation in |Gue04b] indicates that the property could 
possibly be restored by allowing infinitary formulas to take the role of 9. DC is not a 
compact logic and therefore derivability from infinite sets of premises is not reducible to 
derivability from finite ones. Hence, in order to achieve sufficient deductive power, the proof 
rule P< would have to be replaced by one allowing infinitary formulas on the left of =^ as 
well. The deductive power of a finitary rule would be insufficient for the role of P< in any 
presumable finitary proof system for PDC that is complete relative to (non-probabilistic) 
real-time ITL with infinite intervals. 
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